lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <fb0927a80601161411l48573b8br1e5fb5f2851580c0@mail.gmail.com>
Date: Mon Jan 16 23:13:22 2006
From: shawnmer at gmail.com (Shawn Merdinger)
Subject: Clipcomm CPW-100E VoIP wireless handset phone
	open debug service TCP/60023

I disclosed the following issue at ShmooCon 2006
<http://www.shmoocon.org/> during my "VoIP Wireless Phone Security
Analysis" presentation.

Thanks,
--scm

===============================================================

DATE:
16 January, 2006

VENDOR:
Clipcomm

VENDOR NOTIFIED:
14 December, 2005

PRODUCT:
Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone
http://www.clipcomm.co.kr/down/manual/CWP-100/CWP-100_SIP_ENG.pdf
Firmware Version: 1.1.12 (051129)

VULNERABILITY TITLE:
Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023

DETAILS, IMPACT AND WORKAROUND:
An undocumented port and debug service on TCP/60023 enables an
attacker to access without authentication the phone's
configuration/debug shell via telnet. The shell access provides the
attacker with two levels of access. The first level is the CLIP
account that allows general configuration. The second level is the USH
shell, accessed from within the CLIP shell, that allows an attacker to
enable call tracing and debugging, conduct a factory reset, write to
registers, dump memory, etc.

Very troubling is that an attacker can use the "call" command under
the USH shell to call another phone under the attacker's control from
the CPW-100, thereby turning the phone into a remote monitoring
device.

There appears to be no means to neither disable this access nor enable
authentication.

CONTACT INFORMATION:
Shawn Merdinger
shawnmer@...il.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ