SEC Consult Vulnerability Lab Security Advisory < 20140528-0 >
=======================================================================
title: Root Backdoor & Unauthenticated access to voice recordings
product: NICE Recording eXpress voice recording solution
(formerly called Cybertech eXpress, Cybertech Myracle
maybe affected too)
vulnerable version: 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.5.x
fixed version: see section "Solution" and "Timeline" below
impact: critical
homepage: www.nice.com
found: 2013-11-13
by: Johannes Greil, Stefan Viehböck
SEC Consult Vulnerability Lab
=======================================================================
Vendor & product description:
=============================
"NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions
that capture and analyze interactions and transactions, realize intent, and
extract and leverage insights to deliver impact in real time."
source: www.nice.com/company-overview
"NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful
interception (LI) solutions to support the fight against organized crime, drug
trafficking and terrorist activities. NICE helps LEAs stay up-to-date with
fast-paced technology developments. The solutions retrieve target location,
relations and conversation content from any type of communication including
fax, fixed and mobile telephony, and Internet applications, resulting in a
multi-dimensional investigative picture. NICE solutions support the entire
lawful interception cycle, from warrant initiation to court evidence
presentation."
source: www.nice.com/lea
"NICE Recording eXpress is designed specifically for the audio recording needs
of the small and medium sized Public Safety organisation. This advanced
recording solution offers a comprehensive, advanced, easy-to-install and
affordable platform built for the Public Safety environment and Command and
Control operations delivering optimal recording functionality and quality
management."
Source:
www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf
Business recommendation:
========================
Attackers are able to completely compromise the voice recording / surveillance
solution as they can gain access to the system and database level and listen to
recorded calls without prior authentication.
Furthermore, attackers would be able to use the voice recording server as a
jumphost for further attacks of the internal voice VLAN, depending on the
network setup.
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
It is assumed that further critical vulnerabilities exist.
Vulnerability overview/description:
===================================
Summary:
1) root backdoor account
(REC-5180 SR1093984 - subtask REC-5424)
2) Unauthenticated access to sensitive files & voice recordings
(REC-5179 SR1089608 - subtask REC-5417)
3) Low-privileged users can access other voice recordings & Insufficient
authorization
(REC-5179 SR1089608 - subtask REC-5418)
4) Unauthenticated access to functionality
(REC-5179 SR1089608 - subtask REC-5419)
5) Insufficient authorization of admin functions
(REC-5179 SR1089608 - subtask REC-5420)
6) Multiple cross site scripting issues
(REC-5181 SR1093986 - subtask REC-5421)
7) Multiple unauthenticated SQL injection issues
(REC-5180 SR1093984 - subtask REC-5423)
8) Insecure cookie handling
(REC-5181 SR1093986 - subtask REC-5422)
9) Violation of least principle - services run as SYSTEM
(not included in subtask)
The strings in parenthesis of the vulnerability title are the official bug
tracking number of NICE which is also referenced in their release notes.
1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424)
--------------------------------------------------------------------------
The MySQL database table "usr" contains a "root" user with USRKEY / user id 1
with administrative access rights. This user account does NOT show up within
the "user administration" menu when logged in as administrator user account in
the web interface. Hence the password can't be changed there.
As a side note: Password hashes are shown in the user administration menu for
each user within HTML source code.
2) Unauthenticated access to sensitive files & voice recordings (REC-5179
SR1089608 - subtask REC-5417)
--------------------------------------------------------------------------
For example, unauthenticated attackers are able to gain access to exported
lists of user accounts that are being monitored/recorded. Attackers gain
access to detailed information such as personal data like first/last name,
email address and username/extension.
Furthermore it is possible to gain _unauthenticated_ access to recorded voice
calls of other users. Those calls will be stored in a temporary directory, if
they have been accessed by a user via integrated media player in the web
interface.
3) Low-privileged users can access other voice recordings & Insufficient
authorization (REC-5179 SR1089608 - subtask REC-5418)
--------------------------------------------------------------------------
Low-privileged / standard user accounts can not only access their own voice
recordings within the web interface but also other users' calls simply by
iterating an ID of the integrated media player HTTP requests.
4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask
REC-5419)
--------------------------------------------------------------------------
There exist multiple ASP script files that can be accessed without
authentication. Attackers are e.g. able to gain access to parts of the
configuration and even call internal methods that may delete or update data.
5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask
REC-5420)
--------------------------------------------------------------------------
Certain ASP script files allow low-privileged user accounts access to
administrative functions or functions where usually higher privileges are
necessary.
6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421)
--------------------------------------------------------------------------
NICE eXpress suffers from multiple cross-site scripting (reflected and
permanent) vulnerabilities, which allow an attacker to steal other users'
sessions, to impersonate other users and to gain unauthorized access to the
web interface and audio recordings.
7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask
REC-5423)
--------------------------------------------------------------------------
The web application suffers from multiple SQL injection vulnerabilities that
can be exploited without prior authentication!
By exploiting this vulnerability, an attacker gains access to all records
stored in the database with the privileges of the database user "recorder".
As MySQL runs with highest OS-level access rights and the database user has FILE
permission, it is possible to write files to the file system. This enables
further attacks leading to OS-level compromise.
Attackers are able to alter database contents and therefore potentially also
alter checksums of recordings. Hence stored audio recordings could be replaced
by altered ones!
8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422)
--------------------------------------------------------------------------
"HttpOnly cookie" is an extension of the cookie standard from Microsoft to
avoid cookie stealing attacks. It prevents JavaScript from accessing cookies.
For this reason user credentials cannot be stolen directly using XSS
vulnerabilities, although other XSS attacks are still possible.
9) Violation of least principle - services run as SYSTEM (not included in
subtask)
--------------------------------------------------------------------------
The system is not conform to the least privilege principle. An attacker could
misuse services running with highest access rights "SYSTEM" on the Windows
operating system and potentially escalate his rights on several components.
Proof of concept:
=================
1) root backdoor account
--------------------------------------------------------------------------
The password hash (salted - also see flaw #7) of the root user is:
c00e6f05562f338a07eeac9a8ad1b7881d4a990b0b3ee2cf439ac0f55a818d2e
The user does not show up within the admin web interface even when logged in
as an administrator.
2) Unauthenticated access to sensitive files & voice recordings
--------------------------------------------------------------------------
The following URL shows a list of all accounts that are being monitored by
NICE Recording eXpress and can be accessed by anyone without prior
authentication. The list will be copied to the [removed] directory when a user
with appropriate rights exports the user list within the web interface.
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
Furthermore, recorded calls made by other users will be stored in certain
subdirectories of the [removed] directory. Those wave files will e.g. be copied to
the directory, as soon as users listen to their recordings through the web
interface, as the integrated media player will access those wave files via this
URL.
Attackers are able to access those calls without prior authentication!
3) Low-privileged users can access other voice recordings
--------------------------------------------------------------------------
If a user clicks on a recorded call (of his own) within the web application,
the integrated media player will open it. One of following HTTP request will
be sent that contains the parameter [removed]. The XML response will include the
file location / path to the recorded wave file and the info if the user has
appropriate access rights.
The values of the [removed] parameter can easily be enumerated and the file
location of other recordings will be shown. Those files can be accessed
without authentication afterwards and without having to guess the file path
location as this path is being provided.
Request of own call recording:
------------------------------
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
The XML elements [removed] and [removed] are interesting for the attacker.
If an attacker enumerates the [removed] parameter he will receive those XML
responses including file location/path of other users' voice recordings. The
[removed] XML attribute value may change to [removed] with the additional error
message "You're not authorized to play back this call" (element:
[removed]). But this XML response is only validated by the media player
and the attacker can still listen to the call via the [removed] path directly.
The [removed] XML element shows the path of the recording in the temp directory
under [removed] which can then be accessed without authentication!
It is assumed that further flaws exist within the media player functionality,
but it has not been tested further during this short crash test.
4) Unauthenticated access to functionality
--------------------------------------------------------------------------
As an example, the following URL can be called without authentication:
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
There exist many further scripts that can be accessed!
5) Insufficient authorization of admin functions
--------------------------------------------------------------------------
As an example, the following URLs can be accessed:
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
There exist many further scripts that can be accessed!
6) Multiple cross site scripting issues
--------------------------------------------------------------------------
The following URLs are examples for reflected XSS (list is not complete):
http:// $host/_ifr/iframe.picker.statchannels.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.channelgroups.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.extensions.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.licenseusergroups.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.licenseusers.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.lookup.asp?frame=%27%29};alert%280%29;{%28%27
http:// $host/_ifr/iframe.picker.marks.asp?frame=%27%29};alert%280%29;{%28%27
Permanent XSS:
http:// $host/myaccount/mysettings.edit.validate.asp
Parameter: USRLNM
It is assumed that many further scripts are vulnerable to XSS!
7) Multiple unauthenticated SQL injection issues
--------------------------------------------------------------------------
The following sample request (no authentication needed!) will write the
textfile "secconsult.txt" in the webroot including user account information
such as password hashes.
As a side note: All password hashes are hashed using SHA256 with a hard-coded
salt value within a pre-compiled and shipped DLL of the web application.
The following python script demonstrates the algorithm:
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
Further affected scripts (list not complete):
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did
not confirm that it was patched
MySQL runs with highest SYSTEM access rights hence attackers have access to
the file system, also see vulnerability 9).
It is assumed that further SQL injection vulnerabilities exist!
8) Insecure cookie handling
--------------------------------------------------------------------------
The web application only sets the "secure" cookie flag, but not "HttpOnly".
9) Violation of least principle - services run as SYSTEM
--------------------------------------------------------------------------
Nearly all CyberTech (NICE) services including MySQL run as local SYSTEM with
highest privileges, such as [removed] and many more. SEC Consult did not analyse
those services, some of them have network listeners and successful attacks may
lead to system compromise.
Vulnerable / tested versions:
=============================
The vulnerabilities have been verified to exist in NICE Recording eXpress
version 6.3.5.
According to the release notes published by the vendor all previous releases
are affected too.
Vendor contact timeline:
========================
2013-12-13: Contacted vendor through support@nice.com and given direct contact
(Tier 2 Customer Support Team Lead NICE EMEA),
including support ticket of customer, requesting encryption keys,
attaching responsible disclosure policy
2013-12-18: Reply from vendor, no encryption keys
2013-12-18: Sending unencrypted security advisory to NICE & responsible
disclosure policy again
2014-01-08: Asking for status update
2014-01-09: Receiving estimated patch dates for identified issues:
* REC-5179 SR1089608: will be fixed by release CT6.5.6 31 Mar 2014
* REC-5180 SR1093984: will be fixed by release CT6.5.6 31 Mar 2014
* REC-5181 SR1093986: will be fixed by release CT6.5.5 28 Feb 2014
2014-01-16: Receiving more detailed information regarding patch / release
versions including subtask tracking numbers
2014-02-05: Vendor gives status update, everything according to plan: "dates
are valid"
2014-02-25: Updates regarding advisory release date / coordination
2014-03-05: Asking how customers are informed about the patches
2014-03-07: Releases are provided in SDC portal & release notes
2014-03-07: Asking about affected product names & versions ("NICE Recording
eXpress" vs. "Cybertech eXpress" vs. "Cybertech Myracle")
2014-03-07: Patch (6.5 PL5) released by vendor that fixes XSS (REC-5181 -
REC-5421 SR-1093986) and insecure cookie handling (REC-5181 -
REC-5422 SR-1093986)
2014-04-03: Patch (6.5 PL6) released by vendor that fixes REC-5180 - REC-5424
SR-1093984 (root backdoor)
No mention of fix for SQL injection subtask REC-5423
Delay for REC-5179 - will be fixed in next release
2014-04-08: Vendor: "The last fix is planned for the end of April 2014"
2014-04-30: Asking for status update, asking again about product names
2014-05-02: Vendor: "NICE bought various providers and [...] various names for
the product", "Myracle is an older version", "NICE advises clients
to upgrade their system no matter what"
2014-05-07: Vendor information from development team:
* REC-5180 SR1093984: "We couldn't make it last month. Need to
schedule it in another patch level" (REC-5423)
* REC-5179 SR1089608: "We worked on this item last month and it's
partially fixed":
- Patch NTR 6.5 PL7 solves part of subtask REC-5419
(unauthenticated access to functionality)
SEC Consult could not confirm whether REC-5419 was fixed,
because release notes of PL7 do not contain any info on this
- Subtask REC-5420: not fixed, need to reschedule (Insufficient
authorization of admin functions)
- Subtask REC-5417: not fixed, removing insecure functionality
breaks backwards compatibility with other products,
"We need to reconsider how to approach this big change in a
structural way"
2014-05-14: Setting deadline for advisory release 2014-05-28
2014-05-23: Asking vendor for confirmation regarding unresolved issues
2014-05-23: Warning local CERT (Austria & Germany) about upcoming release
2014-05-27: Asking vendor again for confirmation of patched/unpatched flaws
2014-05-27: Vendor contact reached out to R&D team, "According to the system
the fix is to be released end of August this year, more info to
follow once confirmed from R&D"
Receiving new contact person from NICE
2014-05-27: Telling vendor again about the release on 28th May, asking for
patch confirmation
2014-05-28: (no answer) SEC Consult releases security advisory
Solution:
=========
Partial patches are available in the NICE Software Download Center according
to the vendor:
* Product Updates > NICE Recording (CyberTech) > Core Software NICE Recording
> Recording R6
SEC Consult urges all users of NICE Recording eXpress (or Cybertech eXpress)
to upgrade to the latest version available immediately.
As of 2014-05-28, the latest patch release is NTR 6.5 PL7.
At least the following critical issues are _still unresolved_ and not patched or
have not been confirmed by NICE to be patched:
* REC-5417: Unauthenticated access to sensitive files & voice recordings
* REC-5418: Low-privileged users can access other voice recordings & Insufficient
authorization
* REC-5419: Unauthenticated access to functionality
* REC-5420: Insufficient authorization of admin functions
* REC-5423: Multiple unauthenticated SQL injection issues
The vendor has not confirmed until 2014-05-28 whether all other issues have
been fixed entirely.
Workaround:
===========
No workaround available.
Advisory URL:
=============
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF J. Greil / @2014