[cisco-voip] adding a disclaimer/MOTD in CUCM?

Brian Meade (brmeade) brmeade at cisco.com
Tue Dec 10 16:47:30 EST 2013


So just wanted to close the loop on this issue.  We ended up finding CSCuh52758 had already been opened for this issue and evaluated by PSIRT (our security team).  Currently this is only fixed in 10.0 but should get hopefully pushed into older releases in upcoming Engineering Specials/SUs.  If you want this fix in your version, make sure to open a TAC case so we can get an ES built for your version with this fix.

Also in case anyone else finds any potential security vulnerabilities, feel free to reach out to our PSIRT team (http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html).

Thanks,
Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Brian Meade (brmeade)
Sent: Saturday, November 30, 2013 10:43 AM
To: Anthony Holloway; Erick Wellnitz
Cc: cisco-voip
Subject: Re: [cisco-voip] adding a disclaimer/MOTD in CUCM?

Interesting finds.  I’m going to see if I can still reproduce this on the latest versions and possibly get a bug opened for this.  I wonder how many people legitimately use the HTML feature though.

Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Anthony Holloway
Sent: Wednesday, November 27, 2013 3:08 PM
To: Erick Wellnitz
Cc: cisco-voip
Subject: Re: [cisco-voip] adding a disclaimer/MOTD in CUCM?

FWIW, you can use this MOTD feature to inject HTML, CSS, VBScript and Javascript into the login/about pages of CUCM.

With that knowledge, you could do things such as:

  1.  Embed a partner logo on client systems with pertinent support contact information
  2.  Embed a random tip of the day for your administrators (use JS to ID the location as ccmadmin)
  3.  Embed a random tip of the day for your users (use JS to ID the location as ccmuser)
  4.  Embed links to training material/intranet sites for your users (ccmuser)
  5.  Embed a link to open a phone ticket for your users (ccmuser)
  6.  Pre-fill the login form and auto submit for auto-login (maybe a lab usage thing only)
  7.  Place a red text warning about some critical service down on April Fools day for your manager/co-workers to sweat over
  8.  Change the onSubmit event listener to HTTP GET/POST the j_username and j_password field values to a third party server, effectively stealing peoples passwords as they login to CUCM
That last one is not advised.  I only mentioned it to illustrate the evil side of being allowed to inject code into code.  Perhaps Cisco should fix this by escaping the MOTD HTML tags?  And while we're on the topic of stealing people's passwords from CUCM, we're securing our LDAP integrations right?

admin:utils network capture numeric count 100000 size ALL file ldap
admin:file get activelog platform/cli/ldap.cap
wireshark filter: ldap.bindRequest

Ok ok, so some of you are like: "why would I want to do any of that?"  And you're right, these are not the best ideas I've ever had; however, knowing that the possibilities even exist has its benefit.

I've actually done each one of these as an exercise, so if you want to know more or need help getting a working solution put together, let me know.

Also, it should be obvious too then, that the CLI representation of the MOTD cannot do these things, but it will still spit out the ugly HTML/code you are trying to inject.  I have gotten around that a little bit by doing two things:

  1.  Make the injection as small as possible, leveraging off box resources (JS, images, etc.)
  2.  Put a bunch of newlines at the end of the file, which causes the terminal window to scroll the MOTD out of the view port and possibly out of the buffer.
I hope you found that useful.



On Tue, Nov 26, 2013 at 1:17 PM, Erick Wellnitz <ewellnitzvoip at gmail.com<mailto:ewellnitzvoip at gmail.com>> wrote:
Okay...I'm either behind the times or our partner has some explaining to do.

At install, our partner added a 'disclaimer' to both the CLI and web admin pages of CUCM 9.x

Last I knew, you had to 'hack' root access to do this.   Is that still the case or is there somewhere to set and change this?

Thanks!



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131210/11585e95/attachment.html>


More information about the cisco-voip mailing list