Hacking the Sonexis ConferenceManager

Hacking the Sonexis ConferenceManager

Netragard’s Penetration Testing services use a research based methodology called Real Time Dynamic Testing™. Research based methodologies are different in that they focus on identifying both new and known vulnerabilities whereas standard methodologies usually, if not always identify known vulnerabilities. Sometimes when performing research based penetration testing we identify issues that not only affect our customer but also have the potential to impact anyone using a particular technology. Such was the case with the Sonexis ConfrenceManager.

The last time we came across a Sonexis ConferenceManager we found a never before discovered Blind SQL Injection vulnerability.  This time we found a much more serious (also never before discovered) authorization vulnerability. We felt that this discovery deserved a blog entry to help make people aware of the issue as quickly as possible.

What really surprised about this vulnerability was its simplicity and the fact that nobody (not even us) had found it before.  Discovery and exploitation required no wizardry or special talent. We simply had to browse to the affected area of the application and we were given keys to the kingdom (literally). What was even more scary is that this vulnerability could lead to a mass compromise if automated with a specialized Google search (but we won’t give more detail on that here, yet).

So lets dig in…

All versions of the Sonexis ConferenceManager fail to check and see if users attempting to access  the “/admin/backup/settings.asp”, “/admin/backup/download.asp ” or the “/admin/backup/upload.asp ” pages are authorized. Because of this, anyone can browse to one of those pages without first authenticating.  When they do, they’ll have full administrative privileges over the respective Sonexis ConferenceManager pages.  A screen shot of the “settings.asp” age is provided below.

The first thing that we noticed when we accessed the page was that the fields were filled out for us.  This made us curious, especially since the credentials appeared to belong to our customers domain.  When we looked at the document source we found that we didn’t only have the “User ID:” but were also provided with the “Password:” in clear text.

As it turned out, compromising our customer’s IT infrastructure was as simple as using the disclosed credentials to VPN into their network.  Once in we used the same credentials to access Active Directory and to create a second domain administrator account called “netragard”.  We also downloaded the entire password table from Active Directory and began cracking that with hashcat.  While that was being cracked we used our new domain admin account to access any resource that authenticated against Active Directory.  Suffice it to say we had used the Sonexis ConferenceManager vulnerability to compromise the entire IT infrastructure.

But the vulnerabilities didn’t stop there…

As it turns out we could also download the Sonexis ConferenceManager Microsoft SQL database in its entirety.  This was done by changing the configuration in the “settings.asp” page.  Once changed to the right location we were able to download the database (after configuring samba locally).

After we downloaded the file (in zip format) we decompressed it.  Decompression revealed the following contents:

Once decompressed we loaded the files into our local MsSQL database and began to explore the contents.  Not only did we have audio recordings, configuration settings, and other sensitive data, but the administrative password for the Sonexis ConferenceManager was also stored in plain text as is shown in the screen shot below. This in and of its self is yet another vulnerability.

We were able to use the credentials to login to the Sonexis ConferenceManager without issue…

Last but not least…

We found that it was also possible to insert a backdoor into our local copy of the Sonexis ConferenceManager database.  Once the backdoor was created we could re-zip the files and upload the “infected” Microsoft SQL database back to the Sonexis ConferenceManager.  Once loaded, the backdoor will activate allowing the attacker to gain entry to the system (again).

Regarding vendor notification…

Sonexis was notified on 1/31/2012 about the authorization vulnerabilities disclosed in this article.  Sonexis responded once (with a less than friendly, non-cooperative response) on 2/1/2012 and a second time (with a very friendly cooperative response) on 2/6/2012.  We replied to the second response providing the full details of our research to Sonexis.  Sonexis took the information and had a quick fix ready for their customers the next day on 02/07/2012!  They notified their customers that same day with the following email.

We’d like to thank Sonexis for taking the time to be receptive and working with us.  Not only is that the right thing to do, but it showed us that Sonexis takes their customer security very seriously.  As it turned out the initial (less than friendly response) was due to a miscommunication (someone not paying attention to what we were telling them).  The second response came from someone else that was actually a great pleasure to work with.  Suffice it to say that in the end we were really quite impressed with how quickly Sonexis pushed out a fix (and yes it works, we verified that).

If you are a Sonexis ConferenceManager user we strongly urge you to update your system now.

Updated on: 02-16-2012

This vulnerability can be exploited from the Internet.   The image below shows a small sample of Sonexis ConferenceManager users who are vulnerable.  This sample was identified using a combination of ruby with a specially crafted google search.

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.