Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25075
HistoryNov 04, 2010 - 12:00 a.m.

Security-Assessment.com Advisory: BroadWorks Call Detail Record Disclosure Vulnerability

2010-11-0400:00:00
vulners.com
63
JSON

( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(,) .`), ) _ ,
/ _/ / _ \ ____ ____ _____
\ \==/ /\ \ / \/ _ \ / \
/ \/ | \\ \( <> ) Y Y \
/____ /\| / \__ >___/|__|| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.

            presents..

Name : BroadWorks Call Detail Record Disclosure Vulnerability
Vendor Website : http://broadsoft.com/products/broadworks/
Date Released : November 2, 2010
Affected Software: BroadWorks <= R16
Researcher : Nick Freeman ([email protected])

PDF:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.pdf
TXT:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.txt

±----------+
|Description|
±----------+

Security-Assessment.com discovered an issue regarding privilege
separation between different enterprise groups within BroadWorks.
This issue allows a user with Attendant Console privileges to
view and record live call detail records for any user of the
system, including users from other organisations.

±-----------+
|Exploitation|
±-----------+

Eavesdropping of call detail records requires knowledge of the target
user’s BroadWorks username, e.g. [email protected].
BroadWorks uses Client Application Protocol (CAP) XML messages to
communicate between client applications and the BroadWorks platform. One
of the messages, monitoringUsersRequest, is transmitted by the Attendant
Console to BroadWorks during the logon procedure. This command includes
a list of usernames that the Attendant Console can monitor for incoming
and outgoing calls. A malicious user can replay this message with
usernames from other enterprises, and once this operation has completed,
all incoming and outgoing calls for the target user(s) will be visible to
the Attendant.

A basic proxy is available at
http://www.security-assessment.com/files/advisories/bwe.py which can
intercept and modify the XML stream, allowing the injection of
monitoringUsersRequest packets.

±-------+
|Solution|
±-------+

A patch is available from Broadsoft for this vulnerability.

±-----+
|Credit|
±-----+

Discovered and advised to Broadworks June 2010 by Nick Freeman of
Security-Assessment.com.

±----------------------------+
|About Security-Assessment.com|
±----------------------------+

Security-Assessment.com is a New Zealand based world leader in web
application testing,
network security and penetration testing. Security-Assessment.com
services organisations
across New Zealand, Australia, Asia Pacific, the United States and the
United Kingdom.

JSON