m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths

Friday, November 16, 2018

On November 7th, while we were holding our Security Innovation Day, Cisco published a security advisory with CVE-2018-15446 associated to a vulnerability on the software Cisco Meeting Server reported by our Innovation and Labs team. Such vulnerability could allow a remote attacker to gain access to sensitive information as well as to join those meetings held through this software. Cisco Meeting Server (previously named “Acano”), is a video conferencing software enabling users to held meetings through different clients, such as Cisco Jabber, Cisco Meeting App, Skype for Business or via WebRTC with a supported browser.

m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPaths imagen


Over the testing we performed, we detected that active conferences from a Cisco Meeting Server can be listed, remotely and without previous authentication. This provides a wealth of information on the conference stored in the system, for example:  
By analysing all this information, a company’s agenda could be revealed:topics to be addressed, people involved, etc. At this stage, it is an information access problem that the attacker could use to better develop further attacks. Moreover, we also detected that it is possible to perform a brute-force passcode attack remotely and without authentication –depending on Cisco Meeting Server configuration– against those conferences having a passcode, so the server will not be able to stop it, regardless of the number of attempts: just by getting the passcode the attacker could join the meeting.

The attacker would be able to detect (through the name) conferences without passcode where critical issues –such as those related to the budget, the executive board, strategic meetings, etc.– are being addressed. From identification of the targeted conference, the attacker could enter the Conference ID and subsequently join the meeting as a guest by using a non-suspicious username (social engineering).
Technical details
So, let’s see some details in context. Firstly, an attacker could identify Cisco Meeting Servers available in the Internet, for instance by using Shodan. An example of characteristic JavaScript enabling to discover this kind of software would be:
html:"scripts/script_switcher_join_a_call.js"

Once the target’s URL has been identified, the attacker could send a POST request to the following URL: https://[urlmeetingserver]/guestConference.sf and send the potential conferences IDs as parameters. The attacker would have to attempt by sending, for example, the conference ID: 0000, 1000, 2000, 3000, etc. to identify the conferences ranges used, and then precise them. The server response will be different depending on whether the range is being used or not.
The range is not being used (left). The range is being used (right). img
The range is not being used (left). The range is being used (right).

Once the valid conferences ranges have been identified, the attacker could send HTTP POST requests including as many conferences IDs as possible within the range and a null passcode on the identified ranges to https://[urlmeetingserver]/guestConference.sfin order to detect the existing conferences. Once again, conferences in the server can be identified by taking advantage from the different server responses, as you can see in the following image:
"Success" response when there is a conference in the server img
"Success" response when there is a conference in the server

According to the Cisco Meeting Server configuration considered, this technique will only return those unprotected-by-passcode video conferences or all the existing ones. This will depend on the "Guest access via ID and passcode" configuration.
  • If such parameter has a "legacy" mode configuration, the conference ID to join the meeting will firstly be required, and then the passcode. In this case, the technique described would return all the existing meetings, regardless of whether they are protected by passcode or not.
  • If it has a "secure" mode configuration, both conference ID and passcode will be required to join the meeting. In this case, only those unprotected-by-passcode conferences are returned (i.e., with null passcode) since the server verifies both (conference ID and passcode) when responding if the conference exists or not.

Guest Access via ID and Passcode Parameter Configuration img
Guest Access via ID and Passcode Parameter Configuration

Attempt as many passcodes as you wish
It is worth clarifying that by “passcode” we mean a numerical value that may consist of up to 100 figures, even though passcodes consisting of 4 or 6 figures are generally used, since they are more convenient for users to join conferences. It must be numerical so that it can be introduced from a mobile phone by means of DTMF (Dual tone multi frequency).

In those cases where the conference has a passcode and the "Guest access via ID and passcode" parameter has a "legacy" mode configuration, the attacker could perform a brutal-force passcode attack to get it. There is no blocking of any kind for failed access attempts. Such attack can be performed by sending a POST request to https://[urlmeetingserver]/guestLoginRequest.sf with the parameters belonging to the targeted conference, so the passcode will be taken from a passcodes list generated by the attacker.

Server response due to invalid passcode img
Server response due to invalid passcode

In cases of valid passcode, the response will also be "failure" because the queries are being sent from a Python script and not from a browser. Even so, the "reason" variable returns 'unsupportedBrowser' instead of 'invalidPasscode' as we saw above, so we can gather it is the appropriate passcode. Once the passcode has been obtained, the attacker could kick off social engineering mechanisms to join the meeting. 
Conference access in secure mode img
Conference access in secure mode

Conference access in legacy mode img
Conference access in legacy mode

Cisco Meeting Sercer protections
It has two parameters to prevent this kind of attacks:
  • The "Guest access via ID and passcode" parameter with the "secure" value already mentioned.
  • An alphanumerical "secret" parameter included in the invitation link, enabling direct connection to the video conference. Actually, this parameter does not increase security on Cisco Meeting Server, since unauthenticated remote users can see it from the conference weblink, as you can notice in the following image:
Conference WebLink displayed to unauthenticated users img
Conference WebLink displayed to unauthenticated users

Proof of concept
In order to perform an appropriate testing, the ElevenPaths’ Labs team has developed two simple tools written in Python: m33tfinder.py, enabling to remotely detect and list the conferences from the Cisco Meeting Server, and m33tbreak.py, a tool enabling to perform a brute-force passcode attack over the targeted conference.

To use m33tfinder you only need the Cisco Meeting Server URL considered. The tool will find the conferences ranges used first, and then it will detect, by each conferences range, the existing and ongoing conferences. In those cases where the Cisco Meeting Server has a legacy mode configuration, m33tfinder will detect and return information on all the conferences from the server. When the Cisco Meeting Server has a secure mode configuration, m33tfinder will only detect and return information on unprotected-by-passcode conferences.
m33tfinder functioning when detecting conferences, both in legacy and secure mode img
m33tfinder functioning when detecting conferences, both in legacy and secure mode

To use m33tbreak you need both the Cisco Meeting Server URL considered and the conference ID over which the brute-force passcode attack is going to be performed. The tool will firstly verify that the conference exists and is protected by passcode, and then it will perform the brute-force passcode attack through a pins file. This pins file contains by default all the existing four-figures combinations, although it can be modified so that it contains passcodes of different lengths.
m33tbreak functioning when performing a brutal-force attack over a conference img
m33tbreak functioning when performing a brutal-force attack over a conference

By using m33tbreak,there are two potential results:
Uso de M33tbreak para el ataque de fuerza bruta a una conferencia img

Countermeasures and solutions
Following our report through the official channels, Cisco appreciated it and promptly launched a security patch fixing this vulnerability. It has been qualified as a medium-seriousness vulnerability with a CVSS score of 5.3. The official explanation is read as follows:

A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper protections on data that is returned from user meeting requests when the Guest access via ID and passcode option is set to Legacy mode. An attacker could exploit this vulnerability by sending meeting requests to an affected system. A successful exploit could allow the attacker to determine the values of meeting room unique identifiers, possibly allowing the attacker to conduct further exploits.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Yamila Levalle
Innovation and Labs (ElevenPaths)
yamila.levalle@11paths.com

No comments:

Post a Comment