Complete take-over of Cisco Unified Communications Manager due consecutively misconfigurations
Hi there, this roadmap is developed to show that exploiting misconfigurations in devices an individual can get a complete take-over of a management control system. In this article we will cover Cisco VOIP Phones and Unified CM.
Product Overview: Cisco Unified Communications Manager (CallManager)
During the internal recon stage in ranges identified on internal network, and after getting all hosts alive, a good start is look for webapps on ports 80 and 443, I was able to identify by grepping the results of http-title nmap nse script all VOIP Phone devices that were exposed to internal network.
The exposed web interfaces of Cisco VOIP Phones looks like the following:
Some of the models were prone to public disclosed vulnerabilties with known exploits, but all of them were patched.
After spend a lot of time reading the documentation of all devices that I can reach I figured out that if the VOIP Phone configuration was left from default values and it was not hardened to increase its security, it might leak some interesting information.
For example, just to enter in the web portal, I was able to read phone logs, inside that logs, I can find phone calls with debug information, that allowed me to add more targets in the lists by parsing that logs. Also I was able to download the entire phone configuration file from the device and unencrypted configuration file of Cisco UCM.
Focusing on reading a lot of documentation when we perform a security audit (and I encourage you to do the same, because it’s make life easier), I found the following article from the manufacturer:
Now the question is, where do we get the IP of the call manager?
Inside the exposed web panels of VOIP Phones, many IP addresses were disclosed, I just scraped all addresses from all devices in the target list, and scaned all these IP’s searching for opened port 6970 as the documentation says.
After few tests, I confirm that I found the API endpoint address that will provide us the configuration files. Inside that files we can obtain SSH and LDAP credentials.
I just build a script to get a nice terminal print with the gold data described above.
- Spider all web VOIP Phone portals.
- Extract MAC Address.
- Craft the links to get configuration file.
- Download and parse the configuration files.
- Print important data in a nice way.
Just run python3 ciscophonecfg.py -iL voip-phone-addr.txt
The script is going to read from the target voip phones file (one phone per
line), then will do a little scraping on the exposed portals, and then
will build the links based on the information detailed above. The script is going to extract the critical data from the config file. It will then show a summary of each device.
The code’s output I developed prints information as full name of owner of the phone, SSH credentials, and a “key file”. The last parameter is very interesting, becouse it’s the same link in all devices. That is the configuration manager file.
That key file contains LDAP credentials of the Cisco UCM and other very interesting information. According to the official documentation, this file can be encrypted from the Cisco UCM configuration, but due to misconfigurations, this option was not enabled, and allowed us to read the file in cleartext. The syntax to obtain that configuration file is:
http://ip_callmanager:6970/@serviceProfileFile_value
Where @serviceProfileFile_Value is a filename like SPd95f326b-655f-2a44-d529–78e891d75b26.cnf.xml
At this point we have SSH and LDAP credentials used by Cisco Phone and Management System. Just in case I tried to login with the information scraped in the Cisco Unified Communications Manager portal, and by my fortune I was able to login as administrator due to rehused credentials:
Other actions were conducted by this misconfigurations, like dump all telephone directory with a custom script developed on the go:
Rehuse SSH credentials in other hosts:
And read-write access to Samba Share with LDAP credentials of Cisco UCM extracted from unencrypted key file:
