2014-03-13

Multiple weaknesses in SAMwin call-center solution

Today, we published two advisories about weaknesses in the SAMwin Center Suite and SAMwin Agent of Telecommunication Software GmbH, a SIP based call-center solution.

Architecture

The first issue is a very basic weakness in the architecture of the software: Hard-coded passwords, which allow anyone to directly connect to back-end database servers of any deployment. This is pretty bad, as not only user-accounts and passwords are stored in this database, but also details and configuration regarding call-forwarding etc. All access credentials can be extracted from the executable files of the software installation.

Details about this can be found in our security advisory
MZ-13-06_SAMwin_Architectural_Issues.txt.

Password-Hashing

The second advisory details weaknesses in the propriatary password-hashing algorithm.

The employed algorithm has unfavorable statistical properties and is prone to collisions:
It is possible to create a sequence of password candidates to optimally cover the space of possible hash values. With 3000 guesses in this sequence, an attacker will successfully gain access with a probability of 99.9%. And with 5743 guesses he is able to cover the whole space of possible hash values and succeed with certainty.

All details and backgrounds about this issue can be found in our security advisory
MZ-13-07_SAMwin_Collisions.txt.

Credits:

  • David Gullasch
  • Max Moser
  • Tobias Ospelt

References:

  • http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt
  • http://www.modzero.ch/advisories/MZ-13-07_SAMwin_Collisions.txt
  • http://www.telecomsoftware.com/samwin/

Posted by modzero | Permanent link | File under: crypto, advisory