3COM NBX V3000 Networked Telephony Solution Information Disclosure

[Russell Butturini <tcstool () gmail com>]

*Known Affected Versions: *R5_0_31 (Created March 1st, 2007)
*Date Discovered: *November 13, 2012

Obviously not anything new to get sensitive data out via the VxWorks remote
debugger, but this seemed to warrant specific attention since it did allow
for the disclosure of call logs and full access to all voice mails stored
on the system.  Vendor has stopped responding.  There was some data around
this system and the phones themselves for extracting configuration data
released a while back but I have not found anything specific around the PBX
switch out there.

*Synopsis: *The 3Com NBX V3000 phone system firmware was found to have the
VxWorks remote debug service documented at
http://www.kb.cert.org/vuls/id/362332 enabled.  This allows for remotely
extracting the contents of device memory over the network.  When parsing
the contents of memory, it was discovered that the call logs for the system
as well as URLs which linked to WAV files containing voice mails that were
accessible with no authentication were stored within the extracted
content.

*Reported to Vendor: *December 23rd, 2012
*Vendor Acknowledgement: *December 24th, 2012
*Last Vendor Response: *January 16th, 2013 (No Resolution)

Vulnerability Reproduction:

1.  Use the Metasploit VxWorks WDB Agent module (*
auxiliary/admin/vxworks/wdbrpc_memory_dump)* to extract the contents of
memory targeted at the IP of the PBX.

2.  Extract the strings from the dump file generated by Metasploit and grep
for HTTP links containing port 8889 to obtain voice mail URLs, also grep
for names/numbers etc. for sensitive data.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/