Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security-Assessment.com Advisory: BroadWorks Call Detail Record Disclosure Vulnerability
From: Nick Freeman <nick.freeman () security-assessment com>
Date: Tue, 2 Nov 2010 11:49:47 +1300


   (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

                presents..


Name             : BroadWorks Call Detail Record Disclosure Vulnerability
Vendor Website   : http://broadsoft.com/products/broadworks/
Date Released    : November 2, 2010
Affected Software: BroadWorks <= R16
Researcher       : Nick Freeman (nick.freeman () security-assessment com)


PDF:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.pdf
TXT:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.txt


+-----------+
|Description|
+-----------+

Security-Assessment.com discovered an issue regarding privilege
separation between different enterprise groups within BroadWorks.
This issue allows a user with Attendant Console privileges to
view and record live call detail records for any user of the
system, including users from other organisations.


+------------+
|Exploitation|
+------------+


Eavesdropping of call detail records requires knowledge of the target
user’s BroadWorks username, e.g. 098765432 () serviceprovider com 
BroadWorks uses Client Application Protocol (CAP) XML messages to
communicate between client applications and the BroadWorks platform. One
of the messages, monitoringUsersRequest, is transmitted by the Attendant
Console to BroadWorks during the logon procedure. This command includes
a list of usernames that the Attendant Console can monitor for incoming
and outgoing calls. A malicious user can replay this message with
usernames from other enterprises, and once this operation has completed,
all incoming and outgoing calls for the target user(s) will be visible to
the Attendant.


A basic proxy is available at
http://www.security-assessment.com/files/advisories/bwe.py which can
intercept and modify the XML stream, allowing the injection of
monitoringUsersRequest packets.


+--------+
|Solution|
+--------+

A patch is available from Broadsoft for this vulnerability.


+------+
|Credit|
+------+

Discovered and advised to Broadworks June 2010 by Nick Freeman of
Security-Assessment.com.


+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world leader in web
application testing,
network security and penetration testing. Security-Assessment.com
services organisations
across New Zealand, Australia, Asia Pacific, the United States and the
United Kingdom.






  By Date           By Thread  

Current thread:
  • Security-Assessment.com Advisory: BroadWorks Call Detail Record Disclosure Vulnerability Nick Freeman (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]