There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:

Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'. 

Username: mitel-cs018
Password: 

ERROR: Invalid Username/Password pair 

Username:
Password: 

Username: ^X^W^E^Q^W
Password: 

ERROR: Invalid Username/Password pair 

Username: Password: 

ERROR: Invalid Username/Password pair 

# in this moment a foreign call arrive from outside

Username: 155 OGIN 149        11:11:55                        D 2
156 ICIN            11:12: 6                        D 4 0xxxXxxxxx
157 XFIC 156        11:12: 6 151            0: 9:47 D 3
158 ICIN            11:12: 6                        D 3 0xxxXxxxxx
159 ANSW 146        11:12:11                0: 0: 9 D 4
160 HDIN 146        11:12:21                        D 4
162 HREC 146        11:12:27                0: 0: 6 D 4
163 ABND ?          11:12:37                0: 0:37 D 3 0xxxXxxxxx
164 ICIN            11:12:43                        D 3 0xxxXxxxxx
165 EXIC 146        11:12:54                0: 0:47 D 4
166 ANSW 146        11:13: 0                0: 0:16 D 3
167 HDIN 146        11:13: 6                        D 3
169 EXIC 146        11:13:13        156     0: 0:12 D 3
171 EXOG 149        11:13:46                0: 1:59 D 2 0xxXxxxxx
172 XFIC 156        11:16:53 146            0: 3:40 D 3 

# where "0xxXxxxxx" are telephone numbers

A derives table results is:

SEQ CODE  EXT   ACC   TIME     RX     TX   DURATION LN    DIALLED DIGITS   COST
No.       No.   COD HH:MM:SS  FROM    TO   HH:MM:SS No.
___ _____ ____ ____ ________  ____   ____  ____________   ______________  _______



So, it's too easy to know the telephonic's "movement" inside a lan that use this fucked system of VoIP.


(an italian version of this advisory is available on olografix.org/acme/mitel.txt)




acme

acme@paranoici DOT org
acme@olografix DOT org