Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability
Hello there!
I suspect there is a vulnerability in Avaya IP Office Phone Manager, both light
and professional edition. The vulnerability is based on the fact that IP Office
Phone Manager stores sensitive data such as username, password and PBX IP
address under a key within the Windows Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
"UserName"="Joe Smith"
"Password"=""
"PBXAddress"="10.154.1.60"
The previous example shows how and where the sensitive data is stored in the
registry. I've had the opportunity to check this in several hosts of my
organization. In all these hosts the password always appears as blank password
("Password"=""). However, I do not know if this is due to the fact that those
employees were simply using blank passwords to access the PBX or because the IP
Office Phone Manager actually saves the password somewhere else.
The previous information could be accessed by an attacker with local access or
remote access (through the "Remote Registry" service) to the Windows registry
of a certain host. Administrative privileges would be required, at least if the
default configuration is used.
In case the attacker is successful at getting access to the previous Windows
registry key, he/she would be able to impersonate an employee simply by using
the IP Office Phone Manager software and logging to the PBX with the same
username and password. This means that the attacker could do things such as
check the victim's voicemails and make phonecalls within the organization under
the victim's name.
I have been researching in google and serveral vulnerability DBs to see if this
problem was already known but I couldn't find anything on it. This is why I
decided to post this vulnerability here in the hope that it is indeed new to
the public.
I have been able to check that the usernames and IP addresses found in this
registry key are actually real information, meaning that the IP address
actually matches the IP address of the PBX within the organization and that the
username matches the username used to access the PBX as well. So now I just
need someone to help me to find out if the passwords stored in this key are
indeed real or simply a "obsfucation technique".
Regards,
pagvac (Adrian Pastor)