OmniPCX Enterprise音频重新路由信息泄漏及拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1188405 漏洞类型 访问验证错误
发布时间 2007-11-19 更新时间 2007-11-20
CVE编号 CVE-2007-5361 CNNVD-ID CNNVD-200711-291
漏洞平台 N/A CVSS评分 8.5
|漏洞来源
https://www.securityfocus.com/bid/26494
https://cxsecurity.com/issue/WLB-2007110060
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-291
|漏洞详情
OmniPCXEnterprise是企业级的集成通讯解决方案。OmniPCXEnterprise在处理畸形TFTP请求时存在漏洞,远程攻击者可能利用此漏洞导致设备工作不正常。在引导时,OmniPCXEnterprise服务器的IPTouch电话会使用TFTP协议下载有关部署的配置信息。如果恶意用户能够向服务器发送恶意的TFTP请求,在文件名中包含受害用户VoIP电话的MAC地址,就可以将呼叫的音频流重新路由到自己计算机的IP地址。这时尽管VoIP电话仍可进行呼叫或应答,但无法听到通讯另一端的任何声音,必须手动重启VoIP电话才能恢复正常运行。此外,将音频流重新路由到攻击者的VoIP电话还可能导致窃听音频通讯。
|漏洞EXP
#################################################

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#################################################

#

# Product: OmniPCX Enterprise

# Vendor:  Alcatel

# Subject: VoIP Phone Audio Stream Rerouting Vulnerability

# Risk     High

# Effect   Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:    November, 19th 2007

#

#################################################

Introduction:

-------------

If a malicious user sends a TFTP request to the

signaling server with the MAC address of the

victim?s VoIP phone as part of the file name, he

is able to reroute only the audio stream coming

from the other end of the call to his computers IP

address.

Even though an Alcatel VoIP phone can make or take

calls, and send audio, it is prevented from hearing anything said at the other end of the

communication. The VoIP phone needs to be rebooted

manually in order to work again.

This vulnerability may be further exploited by

rerouting the audio stream to the victim?s VoIP

phone again. This would only allow the malicious

user to eavesdrop on half of the victim's audio

communication: what the victim says is not

intercepted, only on the answers made by the other

party would be overheard. Note, this scenario has

not been verified.

Vulnerable:

-----------

Alcatel OmniPCX Enterprise release 7.1 and earlier

Not vulnerable:

---------------

Alcatel OmniPCX Enterprise release 8.0

Vulnerability Management:

-------------------------

June 2007:     Vulnerability found

June 2007:     Alcatel Security notified

November 2007: Alcatel Advisory available

November 2007: Alcatel Security Information

Alcatel-Lucent information:

---------------------------

http://www1.alcatel-lucent.com/psirt/statements.htm

Number 2007004

Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html
|受影响的产品
Alcatel-Lucent OmniPCX Enterprise 7.1 Alcatel-Lucent OmniPCX Enterprise 7 Alcatel-Lucent OmniPCX Enterprise 6.2 Alcatel-Lucent OmniPCX Enterprise 6.1 Alcatel-Lucent OmniPCX Enterprise 6.
|参考资料

来源:www1.alcatel-lucent.com
链接:http://www1.alcatel-lucent.com/psirt/statements/2007004/IPTouchDOS.pdf
来源:BID
名称:26494
链接:http://www.securityfocus.com/bid/26494
来源:BUGTRAQ
名称:20071119AlcatelOmniPCXEnterpriseVoIPVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483925/100/0/threaded
来源:MISC
链接:http://www.csnc.ch/static/advisory/csnc/alcatel_omnipcx_enterprise_audio_rerouting_vulnerability_v1.0.txt
来源:OSVDB
名称:40522
链接:http://osvdb.org/40522
来源:XF
名称:omnipcx-tftp-dos(38560)
链接:http://xforce.iss.net/xforce/xfdb/38560
来源:SECTRACK
名称:1018983
链接:http://www.securitytracker.com/id?1018983
来源:VUPEN
名称:ADV-2007-3919
链接:http://www.frsirt.com/english/advisories/2007/3919
来源:SREASON
名称:3387
链接:http://securityreason.com/securityalert/3387
来源:SECUNIA
名称:27710
链接:http://secunia.com/advisories/27710