| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Jan 16 23:13:22 2006 From: shawnmer at gmail.com (Shawn Merdinger) Subject: Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 I disclosed the following issue at ShmooCon 2006 <http://www.shmoocon.org/> during my "VoIP Wireless Phone Security Analysis" presentation. Thanks, --scm =============================================================== DATE: 16 January, 2006 VENDOR: Clipcomm VENDOR NOTIFIED: 14 December, 2005 PRODUCT: Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone http://www.clipcomm.co.kr/down/manual/CWP-100/CWP-100_SIP_ENG.pdf Firmware Version: 1.1.12 (051129) VULNERABILITY TITLE: Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 DETAILS, IMPACT AND WORKAROUND: An undocumented port and debug service on TCP/60023 enables an attacker to access without authentication the phone's configuration/debug shell via telnet. The shell access provides the attacker with two levels of access. The first level is the CLIP account that allows general configuration. The second level is the USH shell, accessed from within the CLIP shell, that allows an attacker to enable call tracing and debugging, conduct a factory reset, write to registers, dump memory, etc. Very troubling is that an attacker can use the "call" command under the USH shell to call another phone under the attacker's control from the CPW-100, thereby turning the phone into a remote monitoring device. There appears to be no means to neither disable this access nor enable authentication. CONTACT INFORMATION: Shawn Merdinger shawnmer@...il.com
Powered by blists - more mailing lists