Root Backdoor & Unauthenticated access to voice recordings

SEC Consult Vulnerability Lab Security Advisory < 20140528-0 >

=======================================================================

title: Root Backdoor & Unauthenticated access to voice recordings

product: NICE Recording eXpress voice recording solution

(formerly called Cybertech eXpress, Cybertech Myracle

maybe affected too)

vulnerable version: 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.5.x

fixed version: see section "Solution" and "Timeline" below

impact: critical

homepage: www.nice.com

found: 2013-11-13

by: Johannes Greil, Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor & product description:

=============================

"NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions

that capture and analyze interactions and transactions, realize intent, and

extract and leverage insights to deliver impact in real time."

 

source: www.nice.com/company-overview

 

"NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful

interception (LI) solutions to support the fight against organized crime, drug

trafficking and terrorist activities. NICE helps LEAs stay up-to-date with

fast-paced technology developments. The solutions retrieve target location,

relations and conversation content from any type of communication including

fax, fixed and mobile telephony, and Internet applications, resulting in a

multi-dimensional investigative picture. NICE solutions support the entire

lawful interception cycle, from warrant initiation to court evidence

presentation."

source: www.nice.com/lea

 

"NICE Recording eXpress is designed specifically for the audio recording needs

of the small and medium sized Public Safety organisation. This advanced

recording solution offers a comprehensive, advanced, easy-to-install and

affordable platform built for the Public Safety environment and Command and

Control operations delivering optimal recording functionality and quality

management."

Source:

www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf

 

Business recommendation:

========================

Attackers are able to completely compromise the voice recording / surveillance

solution as they can gain access to the system and database level and listen to

recorded calls without prior authentication.

Furthermore, attackers would be able to use the voice recording server as a

jumphost for further attacks of the internal voice VLAN, depending on the

network setup.

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

It is assumed that further critical vulnerabilities exist.

 

Vulnerability overview/description:

===================================

Summary:

1) root backdoor account

(REC-5180 SR1093984 - subtask REC-5424)

 

2) Unauthenticated access to sensitive files & voice recordings

(REC-5179 SR1089608 - subtask REC-5417)

 

3) Low-privileged users can access other voice recordings & Insufficient

authorization

(REC-5179 SR1089608 - subtask REC-5418)

 

4) Unauthenticated access to functionality

(REC-5179 SR1089608 - subtask REC-5419)

 

5) Insufficient authorization of admin functions

(REC-5179 SR1089608 - subtask REC-5420)

 

6) Multiple cross site scripting issues

(REC-5181 SR1093986 - subtask REC-5421)

 

7) Multiple unauthenticated SQL injection issues

(REC-5180 SR1093984 - subtask REC-5423)

 

8) Insecure cookie handling

(REC-5181 SR1093986 - subtask REC-5422)

 

9) Violation of least principle - services run as SYSTEM

(not included in subtask)

The strings in parenthesis of the vulnerability title are the official bug

tracking number of NICE which is also referenced in their release notes.

 

1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424)

--------------------------------------------------------------------------

The MySQL database table "usr" contains a "root" user with USRKEY / user id 1

with administrative access rights. This user account does NOT show up within

the "user administration" menu when logged in as administrator user account in

the web interface. Hence the password can't be changed there.

As a side note: Password hashes are shown in the user administration menu for

each user within HTML source code.

 

2) Unauthenticated access to sensitive files & voice recordings (REC-5179

SR1089608 - subtask REC-5417)

--------------------------------------------------------------------------

For example, unauthenticated attackers are able to gain access to exported

lists of user accounts that are being monitored/recorded. Attackers gain

access to detailed information such as personal data like first/last name,

email address and username/extension.

Furthermore it is possible to gain _unauthenticated_ access to recorded voice

calls of other users. Those calls will be stored in a temporary directory, if

they have been accessed by a user via integrated media player in the web

interface.

 

3) Low-privileged users can access other voice recordings & Insufficient

authorization (REC-5179 SR1089608 - subtask REC-5418)

--------------------------------------------------------------------------

Low-privileged / standard user accounts can not only access their own voice

recordings within the web interface but also other users' calls simply by

iterating an ID of the integrated media player HTTP requests.

 

4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask

REC-5419)

--------------------------------------------------------------------------

There exist multiple ASP script files that can be accessed without

authentication. Attackers are e.g. able to gain access to parts of the

configuration and even call internal methods that may delete or update data.

 

5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask

REC-5420)

--------------------------------------------------------------------------

Certain ASP script files allow low-privileged user accounts access to

administrative functions or functions where usually higher privileges are

necessary.

 

6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421)

--------------------------------------------------------------------------

NICE eXpress suffers from multiple cross-site scripting (reflected and

permanent) vulnerabilities, which allow an attacker to steal other users'

sessions, to impersonate other users and to gain unauthorized access to the

web interface and audio recordings.

 

7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask

REC-5423)

--------------------------------------------------------------------------

The web application suffers from multiple SQL injection vulnerabilities that

can be exploited without prior authentication!

By exploiting this vulnerability, an attacker gains access to all records

stored in the database with the privileges of the database user "recorder".

As MySQL runs with highest OS-level access rights and the database user has FILE

permission, it is possible to write files to the file system. This enables

further attacks leading to OS-level compromise.

Attackers are able to alter database contents and therefore potentially also

alter checksums of recordings. Hence stored audio recordings could be replaced

by altered ones!

 

8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422)

--------------------------------------------------------------------------

"HttpOnly cookie" is an extension of the cookie standard from Microsoft to

avoid cookie stealing attacks. It prevents JavaScript from accessing cookies.

For this reason user credentials cannot be stolen directly using XSS

vulnerabilities, although other XSS attacks are still possible.

 

9) Violation of least principle - services run as SYSTEM (not included in

subtask)

--------------------------------------------------------------------------

The system is not conform to the least privilege principle. An attacker could

misuse services running with highest access rights "SYSTEM" on the Windows

operating system and potentially escalate his rights on several components.

 

Proof of concept:

=================

1) root backdoor account

--------------------------------------------------------------------------

The password hash (salted - also see flaw #7) of the root user is:

c00e6f05562f338a07eeac9a8ad1b7881d4a990b0b3ee2cf439ac0f55a818d2e

The user does not show up within the admin web interface even when logged in

as an administrator.

 

2) Unauthenticated access to sensitive files & voice recordings

--------------------------------------------------------------------------

The following URL shows a list of all accounts that are being monitored by

NICE Recording eXpress and can be accessed by anyone without prior

authentication. The list will be copied to the [removed] directory when a user

with appropriate rights exports the user list within the web interface.

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

 

Furthermore, recorded calls made by other users will be stored in certain

subdirectories of the [removed] directory. Those wave files will e.g. be copied to

the directory, as soon as users listen to their recordings through the web

interface, as the integrated media player will access those wave files via this

URL.

Attackers are able to access those calls without prior authentication!

 

3) Low-privileged users can access other voice recordings

--------------------------------------------------------------------------

If a user clicks on a recorded call (of his own) within the web application,

the integrated media player will open it. One of following HTTP request will

be sent that contains the parameter [removed]. The XML response will include the

file location / path to the recorded wave file and the info if the user has

appropriate access rights.

The values of the [removed] parameter can easily be enumerated and the file

location of other recordings will be shown. Those files can be accessed

without authentication afterwards and without having to guess the file path

location as this path is being provided.

Request of own call recording:

------------------------------

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

 

The XML elements [removed] and [removed] are interesting for the attacker.

If an attacker enumerates the [removed] parameter he will receive those XML

responses including file location/path of other users' voice recordings. The

[removed] XML attribute value may change to [removed] with the additional error

message "You're not authorized to play back this call" (element:

[removed]). But this XML response is only validated by the media player

and the attacker can still listen to the call via the [removed] path directly.

The [removed] XML element shows the path of the recording in the temp directory

under [removed] which can then be accessed without authentication!

It is assumed that further flaws exist within the media player functionality,

but it has not been tested further during this short crash test.

 

4) Unauthenticated access to functionality

--------------------------------------------------------------------------

As an example, the following URL can be called without authentication:

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

There exist many further scripts that can be accessed!

 

5) Insufficient authorization of admin functions

--------------------------------------------------------------------------

As an example, the following URLs can be accessed:

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

There exist many further scripts that can be accessed!

 

6) Multiple cross site scripting issues

--------------------------------------------------------------------------

The following URLs are examples for reflected XSS (list is not complete):

http:// $host/_ifr/iframe.picker.statchannels.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.channelgroups.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.extensions.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.licenseusergroups.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.licenseusers.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.lookup.asp?frame=%27%29};alert%280%29;{%28%27

http:// $host/_ifr/iframe.picker.marks.asp?frame=%27%29};alert%280%29;{%28%27

Permanent XSS:

http:// $host/myaccount/mysettings.edit.validate.asp

Parameter: USRLNM

It is assumed that many further scripts are vulnerable to XSS!

 

7) Multiple unauthenticated SQL injection issues

--------------------------------------------------------------------------

The following sample request (no authentication needed!) will write the

textfile "secconsult.txt" in the webroot including user account information

such as password hashes.

As a side note: All password hashes are hashed using SHA256 with a hard-coded

salt value within a pre-compiled and shipped DLL of the web application.

The following python script demonstrates the algorithm:

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

Further affected scripts (list not complete):

[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did

not confirm that it was patched

 

MySQL runs with highest SYSTEM access rights hence attackers have access to

the file system, also see vulnerability 9).

It is assumed that further SQL injection vulnerabilities exist!

 

8) Insecure cookie handling

--------------------------------------------------------------------------

The web application only sets the "secure" cookie flag, but not "HttpOnly".

 

9) Violation of least principle - services run as SYSTEM

--------------------------------------------------------------------------

Nearly all CyberTech (NICE) services including MySQL run as local SYSTEM with

highest privileges, such as [removed] and many more. SEC Consult did not analyse

those services, some of them have network listeners and successful attacks may

lead to system compromise.

 

Vulnerable / tested versions:

=============================

The vulnerabilities have been verified to exist in NICE Recording eXpress

version 6.3.5.

According to the release notes published by the vendor all previous releases

are affected too.

 

Vendor contact timeline:

========================

2013-12-13: Contacted vendor through support@nice.com and given direct contact

(Tier 2 Customer Support Team Lead NICE EMEA),

including support ticket of customer, requesting encryption keys,

attaching responsible disclosure policy

2013-12-18: Reply from vendor, no encryption keys

2013-12-18: Sending unencrypted security advisory to NICE & responsible

disclosure policy again

2014-01-08: Asking for status update

2014-01-09: Receiving estimated patch dates for identified issues:

* REC-5179 SR1089608: will be fixed by release CT6.5.6 31 Mar 2014

* REC-5180 SR1093984: will be fixed by release CT6.5.6 31 Mar 2014

* REC-5181 SR1093986: will be fixed by release CT6.5.5 28 Feb 2014

2014-01-16: Receiving more detailed information regarding patch / release

versions including subtask tracking numbers

2014-02-05: Vendor gives status update, everything according to plan: "dates

are valid"

2014-02-25: Updates regarding advisory release date / coordination

2014-03-05: Asking how customers are informed about the patches

2014-03-07: Releases are provided in SDC portal & release notes

2014-03-07: Asking about affected product names & versions ("NICE Recording

eXpress" vs. "Cybertech eXpress" vs. "Cybertech Myracle")

2014-03-07: Patch (6.5 PL5) released by vendor that fixes XSS (REC-5181 -

REC-5421 SR-1093986) and insecure cookie handling (REC-5181 -

REC-5422 SR-1093986)

2014-04-03: Patch (6.5 PL6) released by vendor that fixes REC-5180 - REC-5424

SR-1093984 (root backdoor)

No mention of fix for SQL injection subtask REC-5423

Delay for REC-5179 - will be fixed in next release

2014-04-08: Vendor: "The last fix is planned for the end of April 2014"

2014-04-30: Asking for status update, asking again about product names

2014-05-02: Vendor: "NICE bought various providers and [...] various names for

the product", "Myracle is an older version", "NICE advises clients

to upgrade their system no matter what"

2014-05-07: Vendor information from development team:

* REC-5180 SR1093984: "We couldn't make it last month. Need to

schedule it in another patch level" (REC-5423)

* REC-5179 SR1089608: "We worked on this item last month and it's

partially fixed":

- Patch NTR 6.5 PL7 solves part of subtask REC-5419

(unauthenticated access to functionality)

SEC Consult could not confirm whether REC-5419 was fixed,

because release notes of PL7 do not contain any info on this

- Subtask REC-5420: not fixed, need to reschedule (Insufficient

authorization of admin functions)

- Subtask REC-5417: not fixed, removing insecure functionality

breaks backwards compatibility with other products,

"We need to reconsider how to approach this big change in a

structural way"

2014-05-14: Setting deadline for advisory release 2014-05-28

2014-05-23: Asking vendor for confirmation regarding unresolved issues

2014-05-23: Warning local CERT (Austria & Germany) about upcoming release

2014-05-27: Asking vendor again for confirmation of patched/unpatched flaws

2014-05-27: Vendor contact reached out to R&D team, "According to the system

the fix is to be released end of August this year, more info to

follow once confirmed from R&D"

Receiving new contact person from NICE

2014-05-27: Telling vendor again about the release on 28th May, asking for

patch confirmation

2014-05-28: (no answer) SEC Consult releases security advisory

 

Solution:

=========

Partial patches are available in the NICE Software Download Center according

to the vendor:

nice.subscribenet.com

* Product Updates > NICE Recording (CyberTech) > Core Software NICE Recording

> Recording R6

 

SEC Consult urges all users of NICE Recording eXpress (or Cybertech eXpress)

to upgrade to the latest version available immediately.

As of 2014-05-28, the latest patch release is NTR 6.5 PL7.

 

At least the following critical issues are _still unresolved_ and not patched or

have not been confirmed by NICE to be patched:

* REC-5417: Unauthenticated access to sensitive files & voice recordings

* REC-5418: Low-privileged users can access other voice recordings & Insufficient

authorization

* REC-5419: Unauthenticated access to functionality

* REC-5420: Insufficient authorization of admin functions

* REC-5423: Multiple unauthenticated SQL injection issues

The vendor has not confirmed until 2014-05-28 whether all other issues have

been fixed entirely.

 

Workaround:

===========

No workaround available.

 

Advisory URL:

=============

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

EOF J. Greil / @2014