While performing a review of Cisco’s Unified Communications Manager (CallManager) – a software-based call-processing system –, security researcher Roberto Suggi Liverani has identified a simple way to break the PINs of registered accounts by performing a brute force attack.
“When looking at the phone handset configuration, some URLs are set to allow the handset to retrieve Personal Address Book details or access the Fast Dials. That caught my attention and I immediately pointed my web proxy to those URLs, forgetting about the handset interface,” the expert explained.
The researcher noticed that the handset itself is actually performing simple GET HTTP requests to the CallManager to initiate the login sequence.
The response contains a “sid” token which is needed to perform the brute force attack. Then, a web proxy, such as Burp, can aid in performing this brute force attack.
The technical details for the attack are available here.