Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VoIP)  >   Cisco Unified Communications Manager (CallManager) Vendors:   Cisco
Cisco CallManager 'Administration' and 'User Options' Input Validation Holes Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1016328
SecurityTracker URL:
CVE Reference:   CVE-2006-3109   (Links to External Site)
Updated:  Oct 13 2008
Original Entry Date:  Jun 19 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.1 - 4.3(1)
Description:   A vulnerability was reported in Cisco CallManager. A remote user can conduct cross-site scripting attacks.

The web administration interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target authenticated administrative user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Cisco CallManager software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The "Cisco CallManager Administration" and "Cisco CallManager User Options" interfaces are affected.

A demonstration exploit URL is provided:


The vendor was notified on October 24, 2005.

Cisco has assigned Cisco Bug ID CSCsb68657 to this vulnerability.

Jake Reynolds of FishNet Security discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Cisco CallManager software, access data recently submitted by the target administrative user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry. Cisco plans to issue a fix for the following versions:

* 4.3(1)
* 4.2(3)
* 4.1(3)SR4
* 3.3(5)SR3

The Cisco advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Input Validation/Output Encoding Vulnerabilities


Release Date: 07/19/2006

Affected Application: Cisco CallManager 3.1 and up (versions prior to 3.1 were not tested but may
still be vulnerable)

Severity If Exploited: High

Impact: Arbitrary configuration of phone system/Theft of individual phone users' credentials

Mitigating Factors: Requires user action (following a link, visiting a resource with an embedded

Initial Notification of Vendor: 10/24/2005

Discovery: Jake Reynolds, Senior Security Engineer -- FishNet Security

Contributions: Arian Evans, Senior Security Engineer - FishNet Security

Permanent Advisory Location:


Vulnerability Overview:
The web interface used to administer Cisco CallManager software suffers from a lack of input
validation and output encoding. As a result, an attacker could craft a request that causes the
CallManager web interface to include malicious JavaScript in its response. If a victim can be made to
submit this specially crafted request, the response will be processed, and the malicious JavaScript
payload executed in the browser of the victim.

Attack Overview: 

If such a request is provided to CallManager administrators (either in an email or embedded in an html
resource using something like an automatic redirect) an attacker can perform a variety of nefarious
actions. Depending on the scripted payload, these attacks are commonly referred to as cross-site
scripting (XSS), session riding, and cross-site request forgery (CSRF). Potential threats that can be
realized through these vulnerabilities could include but are not limited to:

* Deletion of phone system components such as devices, partitions, calling search spaces, etc

* Reconfiguration of phone system components such as route plans, global directory, services, etc

* Theft of global directory user credentials

* Theft of "Cisco CallManager User Options" credentials or session token leading to user identity
spoofing within that specific interface of CallManager (Utilization of the stolen credentials or
session tokens would require direct connectivity to CallManager.)


Vulnerability Details: 
The web interfaces used to administer Cisco CallManager exhibit input validation/output encoding
vulnerabilities throughout the applications. Specifically, the "Cisco CallManager Administration" and
"Cisco CallManager User Options" interfaces contain multiple instances of these vulnerabilities. This
advisory will focus on a subset of those vulnerabilities that allow attack execution from an
unauthenticated perspective. Not all vulnerability instances will be included.

The "Cisco CallManager Administration" (http://CallManagerAddress/ccmadmin/) web interface contains
parameters that have their user-supplied input returned in subsequent responses without being properly
encoded. Although this interface requires basic authentication before access to the vulnerable
parameters is granted, the original request will be sent to the server after successful
authentication. Thus, reflected script injection is possible if the attacker can lure a CallManager
administrator into entering their credentials upon being presented with the basic authentication box.
The URL below takes advantage of the vulnerable "pattern" parameter that returns user-supplied input
at several points within the subsequent responses.


A simple proof of concept script has been written that utilizes XMLHTTP to search for devices and
delete them from the CallManager configuration. Prior knowledge of the CallManager configuration would
allow for more savvy attacks that could intelligently reconfigure the phone system.

The "Cisco CallManager User Options" (http://CallManagerAddress/ccmuser/) web interface also contains
vulnerable parameters. Most notably, arbitrary parameters included in requests to /ccmuser/logon.asp
are returned by the application without proper input validation or output encoding. The URL below
takes advantage of this behavior by appending the parameter "MadeUpParameter", escaping the form
included in the response, and rewriting all form actions to point to an attacker site that collects
all input. The application seems to remove the '+' character used to post-increment the loop counter
so URL hex encoding (%2B) was used to obfuscate it.

http://CallManagerAddress/ccmuser/logon.asp?userID=&password=&MadeUpParameter="><script>for (i=0;
i<document.forms.length; i%2B%2B)

By luring phone system users into making the above request and logging in, an attacker can steal their


Prerequisites: In all cases, there is some prerequisite information that an attacker must have. The
address of the CallManager is obviously a necessity in order to correctly craft malicious requests.
This could be easily gained internally by viewing the network configuration on the IP phones that
register with the targeted CallManager unless the display of this information has been disabled.
Social engineering could allow an attacker to gain this information from inside or outside of the
organization. It is important to note that while the address of the target CallManager is required,
the attacker does not require connectivity. Reflected script injection attacks only require that the
victim has connectivity to the vulnerable application, since the victim is the entity that makes the
malicious request, causing unwanted execution of the script included in the vulnerable server's

Any intelligent reconfiguration of Cisco CallManager using CSRF attacks as mentioned above would
require knowledge of the current CallManager configuration. However, a significant amount of damage
could be inflicted by an XMLHTTP-based script that searches for and deletes all devices without prior
knowledge of the current CallManager configuration.

Exploitation of the "Call Manager User Options" logon page does not require connectivity to the target
CallManager. However, the use of stolen credentials gained through such an attack would require
connectivity to a system that utilizes them. This system, in many cases might only be the CallManager
itself. However, in the case of CallManager integration with another directory such as iPlanet or
Active directory, credential theft could lead to an attacker gaining access to many other services.


Technical Workarounds:

* Upgrade Software When Fixes Become Available - Cisco has stated that future releases of all trains
of Cisco CallManager will contain fixes for these vulnerabilities.

* Restrict Network Connectivity to CallManager Interfaces - During discovery, it was noted that
several organizations had their CallManager administration interfaces exposed to the Internet. Simple
Google queries are all an attacker needs in this case to obtain the target CallManager address. There
are few compelling reasons one could present that would justify public access to CallManager web

* Treat Sensitive/Critical Interfaces as Sensitive & Critical - Information about the specifics of the
CallManager configuration should be kept confidential. Access to the various CallManager interfaces
should be as restrictive as possible. Although these attacks do not require an attacker to have
connectivity to the vulnerable application, restriction of this access still serves to limit attack
vectors by limiting the amount of potential victims.

Nontechnical Workarounds:

* Education & Awareness of User Luring Attack Vector - Educate all users about the risks of social
engineering attacks. Users should be aware of the triviality of spoofing emails, caller ID, and other
types of information.


You can reach the author of this advisory by emailing jake[dot]reynolds[at]

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC