[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B70B66DA655F144855183C68062EE89482E61@trexchange.csnc.ch>
Date: Wed, 12 Aug 2009 23:46:27 +0200
From: "Walter Sprenger" <walter.sprenger@...c.ch>
To: <bugtraq@...urityfocus.com>
Subject: Authentication Bypass of Snom Phone Web Interface
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360,
# Snom370, Snom820)
# Vendor: snom technology AG
# CVD ID: CVE-2009-1048
# Subject: Authentication Bypass of Snom Phone Web Interface
# Risk: High
# Effect: Remote
# Author: Walter Sprenger
# Date: August 13, 2009
#
#############################################################
Introduction:
-------------
The VoIP phones of snom technology AG can be configured, monitored
or controlled with a browser connecting to the built in web interface.
It is strongly recommended to enable authentication on the web
interface and to set a strong password.
By constructing a specially crafted HTTP request the authentication
of the web interface can be completely bypassed.
Impact:
-------
Access to the web interface without authentication enables a
malicious user to [2]:
- call expensive numbers
- listen to the phone conversation by capturing the network traffic
- read SIP username and password
- read and modify all configuration parameters of the phone
- redirect phone calls to another VoIP server
- activate the microphone and listen to the conversation in the room
Affected:
---------
- The tests have been conducted on a Snom360, Firmware versions:
- snom360 linux 3.25/snom360-SIP 6.5.17
- snom360 linux 3.25/snom360-SIP 6.5.18
- snom360-SIP 7.1.30
- snom360-SIP 7.1.35 14552
- All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware
versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according
to snom technology AG
- Not vulnerable:
- Firmware version 6.5.20 and higher
- Firmware version 7.1.39 and higher
- Firmware version 7.3.14 and higher
Technical Description:
----------------------
The web interface of the Snom VoIP/SIP phones is protected by
Basic Authentication or Digest Authentication.
The authentication can be completely bypassed by modifying the
HTTP request. A normal browser sets the request header "Host:"
to the IP address or the host name that is entered in the URL
field of the browser. If the request header is modified to
contain the value "Host: 127.0.0.1", all pages and functions
of the web interface can be reached without prompting the user
to authenticate.
How to test:
------------
curl -H "Host: 127.0.0.1" http://<IP address of phone>/
curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/
-> if the phone is vulnerable, the index page of the web
interface is returned
-> if the phone is not vulnerable, an
"HTTP/1.1 401 Unauthorized" response is returned
Workaround / Fix:
-----------------
- Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
- Disable the web interface until a firmware upgrade is installed
Timeline:
---------
Vendor Notified: March 19, 2009
Vendor Status: Replied on March 19 and March 30, vulnerability
confirmed
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14.
Problem will be fixed in version 6.
Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14
and above
References:
-----------
[1]: http://www.snom.de
[2]:
http://www.csnc.ch/misc/files/publications/V6_attacking_voip_v1.0.pdf
Powered by blists - more mailing lists