NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download
Title: NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download
Advisory ID: ZSL-2018-5448
Type: Local/Remote
Impact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass
Risk: (4/5)
Release Date: 22.01.2018
DSP Firmware Version: 12.11.00.02
NEC-i SV8100-NA 08.00/2.1
NEC SV9100-GE 07.00.52/2.1
[27.12.2017] Vendor contacted.
[21.01.2018] No response from the vendor.
[22.01.2018] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2018010234
[3] https://packetstormsecurity.com/files/146021
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/138174
[27.01.2018] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2018-5448
Type: Local/Remote
Impact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass
Risk: (4/5)
Release Date: 22.01.2018
Summary
NEC's UNIVERGE® SV9100 is the unified communications (UC) solution of choice for small and medium businesses (SMBs) who don't want to be left behind. Designed to fit your unique needs, the UNIVERGE SV9100 platform is a powerful communications solution that provides SMBs with the efficient, easy-to-deploy, mobile technology that they require.Description
The gzipped telephone system configuration file 'config.gz' or 'config.pcpx' that contains the unencrypted data file 'conf.pcpn', can be downloaded by an attacker from the root directory if previously generated by a privileged user. Attacker can also sniff the network and hijack the session id which resides in a GET request to further generate the config file. The sessionid can also be brute-forced because of its predictability containing 5-digit number. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation, system access and denial of service via config modification.Vendor
NEC Corporation - http://www.nec.comAffected Version
WebPro <=10.00DSP Firmware Version: 12.11.00.02
Tested On
Henry/1.1NEC-i SV8100-NA 08.00/2.1
NEC SV9100-GE 07.00.52/2.1
Vendor Status
[11.12.2017] Vulnerability discovered.[27.12.2017] Vendor contacted.
[21.01.2018] No response from the vendor.
[22.01.2018] Public security advisory released.
PoC
nec_config.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/43858/[2] https://cxsecurity.com/issue/WLB-2018010234
[3] https://packetstormsecurity.com/files/146021
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/138174
Changelog
[22.01.2018] - Initial release[27.01.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk