Root Backdoor & Unauthenticated access to voice recordings in NICE Systems product

SEC Consult Vulnerability Lab Security Advisory: “NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in real time.” source: http://www.nice.com/company-overview “NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception (LI) solutions to support the fight against organized crime, drug trafficking and terrorist activities.

NICE helps LEAs stay up-to-date with fast-paced technology developments.

The solutions retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications, resulting in a multi-dimensional investigative picture. NICE solutions support the entire lawful interception cycle, from warrant initiation to court evidence presentation.”

 

 

source: http://www.nice.com/lea

“NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management.”

Business recommendation: Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist.

Vulnerability overview/description:

Summary:

1) root backdoor account (REC-5180 SR1093984 – subtask REC-5424)

2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 – subtask REC-5417)

3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 – subtask REC-5418)

4) Unauthenticated access to functionality (REC-5179 SR1089608 – subtask REC-5419)

5) Insufficient authorization of admin functions (REC-5179 SR1089608 – subtask REC-5420)

6) Multiple cross site scripting issues (REC-5181 SR1093986 – subtask REC-5421)

7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 – subtask REC-5423)

8) Insecure cookie handling (REC-5181 SR1093986 – subtask REC-5422)

9) Violation of least principle – services run as SYSTEM (not included in subtask)

The strings in parenthesis of the vulnerability title are the official bug tracking number of NICE which is also referenced in their release notes.

1) root backdoor account (REC-5180 SR1093984 – subtask REC-5424)

The MySQL database table “usr” contains a “root” user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.

2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 – subtask REC-5417)

For example, unauthenticated attackers are able to gain access to exported lists of user accounts that are being monitored/recorded. Attackers gain access to detailed information such as personal data like first/last name, email address and username/extension. Furthermore it is possible to gain _unauthenticated_ access to recorded voice calls of other users. Those calls will be stored in a temporary directory, if they have been accessed by a user via integrated media player in the web interface.

3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 – subtask REC-5418)

Low-privileged / standard user accounts can not only access their own voice recordings within the web interface but also other users’ calls simply by iterating an ID of the integrated media player HTTP requests.

4) Unauthenticated access to functionality (REC-5179 SR1089608 – subtask REC-5419)

There exist multiple ASP script files that can be accessed without authentication. Attackers are e.g. able to gain access to parts of the configuration and even call internal methods that may delete or update data. 5) Insufficient authorization of admin functions (REC-5179 SR1089608 – subtask REC-5420)

Certain ASP script files allow low-privileged user accounts access to administrative functions or functions where usually higher privileges are necessary.

6) Multiple cross site scripting issues (REC-5181 SR1093986 – subtask REC-5421)

NICE eXpress suffers from multiple cross-site scripting (reflected and permanent) vulnerabilities, which allow an attacker to steal other users’ sessions, to impersonate other users and to gain unauthorized access to the web interface and audio recordings.

7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 – subtask REC-5423)

The web application suffers from multiple SQL injection vulnerabilities that can be exploited without prior authentication! By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the database user “recorder”. As MySQL runs with highest OS-level access rights and the database user has FILE permission, it is possible to write files to the file system. This enables further attacks leading to OS-level compromise. Attackers are able to alter database contents and therefore potentially also alter checksums of recordings. Hence stored audio recordings could be replaced by altered ones!

8) Insecure cookie handling (REC-5181 SR1093986 – subtask REC-5422)

“HttpOnly cookie” is an extension of the cookie standard from Microsoft to avoid cookie stealing attacks. It prevents JavaScript from accessing cookies. For this reason user credentials cannot be stolen directly using XSS vulnerabilities, although other XSS attacks are still possible.

9) Violation of least principle – services run as SYSTEM (not included in subtask)

The system is not conform to the least privilege principle. An attacker could misuse services running with highest access rights “SYSTEM” on the Windows operating system and potentially escalate his rights on several components.

VIEW THE PROOF OF CONCEPT HERE (DOWNLOAD FROM OFFICIAL AUTHOR)

MIRROR ON CYBERWARZONE

20140528-0_NICE_Recording_eXpress_Multiple_critical_vulnerabilities_v10