[NT] Two Problems Found with Alexis/InternetPBX from COM2001

From: support@securiteam.com
Date: 10/04/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Two Problems Found with Alexis/InternetPBX from COM2001
Message-Id: <20011004155401.99480138C2@mail.der-keiler.de>
Date: Thu,  4 Oct 2001 17:54:01 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Two Problems Found with Alexis/InternetPBX from COM2001
------------------------------------------------------------------------

SUMMARY

 <http://www.alexis.com/solutions/index.asp> InternetPBX, a product from
COM2001, passes the user's voicemail password in clear text over the
internet. In addition, there is a minor issue with the way these passwords
are stored.

DETAILS

Vulnerable systems:
Alexis Server version 2.1

Immune systems:
Alexis Server version 1.1

Alexis is a Windows NT/2000 and Exchange based phone system that provides
many interesting features for helping businesses work in a virtual manner.

First, the voicemail passwords are stored in plaintext, in the NT and/or
Windows 2000 root directory in a file called com2001.ini. The impact of
this is minor, as the file can of course be protected with file system
permissions.

"Alexis Server" has a web access component that links in to Exchange's
OWA. It asks for a user's voicemail password before allowing them to
logon. This can be secured using SSL, so the password is protected there.
Unfortunately, the Alexis web access toolbar opens a java applet that
connects back to the server on port 8888(by default). This passes the
username and voicemail password in plaintext.

Vendor status:
COM2001 is aware of the problem, and informed that it has been fixed in
the next service pack, but they do not know when that will be released

Impact:
Those who could sniff this password could then utilize the Alexis phone
system to make long distance calls, or calls pretending to use the phone
number of the affected Alexis phone system.

Solution:
Block port 8888 to your Alexis server until the service pack is available.
This will unfortunately disable some of the features of the web access,
such as call screening. If this is essential functionality, one can
downgrade to version 1.1, which does not use the voicemail password in the
web access. Further version 2.0 is unable to utilize SSL for the web
access and so is vulnerable to similar (and greater) problems.

ADDITIONAL INFORMATION

The information has been provided by <mailto:cbyrum@erp.com> Clint Byrum.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.