During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (CallManager). A quick google "callmanager brute force" didn't bring any relevant results, so I thought to share the simple technique I have used. When looking at the phone handset configuration, some URLs are set to allow the handset to retrieve Personal Address Book details or access the Fast Dials. That caught my attention and I immediately pointed my web proxy to those URLs, forgetting about the handset interface. What happens when using the handset is that the handset itself performs HTTP requests to the CallManager. A simple HTTP GET request is performed by the handset to initiate the login sequence with a request as the one below: 1) GET - https://x.x.x.x/ccmpd/pdCheckLogin.do?name=undefined The response contains a reference to the login.do page along with a "sid" token, which is used
Security research, divulgations and food for thought.