A coding flaw in a cloud application aimed at helping people who have hearing or speech disorders place calls through an assistive telephone device could have been used to steal administration passwords at Canada’s major telecom providers or any other provider using the service, according to researchers at a security firm.
The firm, Project Insecurity, said in a report that Soleo Communications — which provides a range of search and voice services for communications providers — fixed the bug in its IP Relay service Aug. 10th. But, the researchers added, a determined attacker could have leveraged the vulnerability before it was sealed to steal passwords from configuration files.
The problem, the report says, was “improper sanitization” of a parameter in the IP Relay servlet — in other words, bad coding. “A developer should always check for dangerous characters in filenames,” said the report. In this case, researchers were able to navigate through the server and into a sensitive directory by using directory traversal characters.
It isn’t known if any attacker exploited the issue against any telecom provider before the application, which converts text to voice, was patched.
The report says Bell, Rogers, Telus, Videotron, SaskTel and Shaw run Soleo’s IP Relay. Soleo Communications didn’t respond to a request for comment by press time. Nor did Bell. In an email Rogers said it was notified of the problem by the Canadian Cyber Incident Response Centre (CCIRC). Soleo’s fix was immediately installed. Rogers said its records show that customer information remained secure and was not accessed or exposed in any way.
Project Security is a penetration and vulnerability assessment company with staff in Canada, the U.S. and the U.K. The Soleo vulnerability was discovered by Manitoba-based security operations Dominik Penner.
In the report Penner said the vulnerability was discovered when he went to the login page of a telecom provider’s IP Relay client for customers. Clicking on the “forgot password” link brings up a URL with a get Page parameter. Changing the parameter to Test resulted in an error message, but that divulged it was trying to load a JSP (Java server page). Ultimately Penner was able to see directories in the application’s Adobe Tomcat server, and concluded that with some work an attacker could penetrate the source code and passwords it holds “An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack. The end result could be escalated to yield remote code execution,” he wrote.
What software developers should do, says the report, is pay attention to coding recommendations of the Open Web Application Security Project (OWASP) for avoiding path traversal problems. These include understanding how the underlying operating system to the application will process filenames handed off to it, not storing sensitive configuration files inside the web root and, for Windows IIS servers, making sure the web root isn’t on the system disk, to prevent recursive traversal back to system directories.