Title: ShoreWare Director Denial of Service and Arbitrary File Modification Product: ShoreTel ShoreWare Director Vendor: ShoreTel, http://www.shoretel.com Vulnerable Versions: 18.61.7500.0, and likely all prior versions. Tested Version: 18.61.7500.0 Credit: Dennis Kelly Introduction ShoreTel ShoreWare Director is the core management interface for managing ShoreTel's Unified Communication (UC) system. The ShoreWare server install includes an IIS FTP service used to distribute configuration and firmware to IP phones using anonymous FTP. Additionally, a virtual directory /ShorewareDirector that is not visible in a directory listing is used by ShoreWare Director for uploading and storing Auto-Attendant Menu Prompts (System Greetings). Impact By default, the /ShorewareDirector directory is available via anonymous FTP, unrestricted, and with read-write access. It is vulnerable to: - A Denial of Service (DoS) filling up the disk with arbitrary files. If the directory resides on the C: drive, it could make the entire server unavailable. Otherwise, it could prevent administrators from changing menu prompts or other system functions utilizing the same disk. - Unauthenticated changes and deletion of menu prompts actively being used by the system. Deleting an actively used file will cause the system to use the default greeting. An attacker could overwrite an active prompt (can take hours to refresh from the FTP server though) that would result in a good laugh and high fives, but also could be used to convince users to take further action or disclose sensitive information as a step in a more complex attack. Vendor Response The vendor reports this is a essential component of their platform and does not impose significant impact to system integrity. A change request to the functionality can be submitted to suggestions@shoretel.com. Mitigation Limit access to the /ShorewareDirector directory to an administrative host or network using FTP Address and Domain Restrictions in IIS. Timeline 10/04/2013: Vulnerability discovered. 10/07/2013: Vendor contacted. 10/11/2013: Vendor response. 10/13/2013: Disclosure.