Monday, 1 October 2012

Cisco Unified Communications Manager (Call Manager) PIN brute force attack


During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (CallManager). A quick google "callmanager brute force" didn't bring any relevant results, so I thought to share the simple technique I have used.

When looking at the phone handset configuration, some URLs are set to allow the handset to retrieve Personal Address Book details or access the Fast Dials. That caught my attention and I immediately pointed my web proxy to those URLs, forgetting about the handset interface.

What happens when using the handset is that the handset itself performs HTTP requests to the CallManager.



A simple HTTP GET request is performed by the handset to initiate the login sequence with a request as the one below:

1) GET - https://x.x.x.x/ccmpd/pdCheckLogin.do?name=undefined


The response contains a reference to the login.do page along with a "sid" token, which is used in the subsequent requests, as shown in the response below:



The sid token is required to perform the PIN brute force attack.

Also, the response provides some clues on which parameters to include in the login request, such as userID and PIN. The following GET request can then be used to perform a PIN brute force account.

2) GET - https://x.x.x.x/ccmpd/login.do?sid=_sid_value_&userid=_userid_&pin=_PIN_



At this stage, it is possible to perform a PIN brute force attack, as a valid SID token needs to be passed when authenticating the user.

In case the userid/PIN are wrong, the following response is returned:


It seems not possible to perform userID enumeration. In such case, it is recommended to have a large username dictionary file and then try against the same PIN (e.g. common value 1234, 12345). This can be easily done using the Burp intruder tab, as shown below:



If the correct userID/PIN are found, the response will contain links for each service, as shown below:



The above sequence of requests can be trivially automated with a web proxy, such as Burp, by setting a macro for instance.



More information on how to configure macros in Burp, can be found here: http://portswigger.net/burp/help/options_sessions_macroeditor.html

If a valid userID/PIN is found, it is recommended to stop the brute force attack, generate a new sid token and then restart the brute force attack.

Happy hacking!