| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jan 2015 13:25:39 +0100 From: "kapejod@...glemail.com" <kapejod@...il.com> To: SEC Consult Vulnerability Lab <research@...-consult.com> Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] SEC Consult SA-20150113-0 :: Multiple critical vulnerabilities in all snom desktop IP phones Nice, it seems you had more luck with reporting those issues. I reported the path traversal and null-byte injection to Snom on the 12th of March 2013. On Tue, Jan 13, 2015 at 10:53 AM, SEC Consult Vulnerability Lab < research@...-consult.com> wrote: > SEC Consult Vulnerability Lab Security Advisory < 20150113-0 > > ======================================================================= > title: Multiple critical vulnerabilities > product: snom IP phones > vulnerable version: all firmware versions <8.7.5.15, all firmware branches > of all snom desktop IP phones (3xx, 7xx, 8xx, etc) > are affected > fixed version: 8.7.5.15 (for all desktop phones) > impact: critical > homepage: http://www.snom.com > found: 2014-10-24 > by: Johannes Greil, Stefan Viehböck > SEC Consult Vulnerability Lab > https://www.sec-consult.com > ======================================================================= > > Vendor description: > =================== > > "snom technology AG develops and manufacturers Voice-over-IP (VoIP) > telephones > based on open standard for enterprise communications. > [...] > The devices are suitable for use in all business environments ranging from > home offices to small- and medium-sized enterprises and large corporations. > snom also works directly with carriers, Internet Service Providers, and OEM > customers. The company is globally present through branch offices and a > partner network." > > source: http://www.snom.com/en/company/about-snom/ > > > "snom phones (hardware and software) are developed in Germany and strictly > adhere to all applicable security standards (TLS and SRTP). In contrast to > many of our competitors, snom as a German manufacturer is required to > abide by > the strict German data protection regulations and laws. This is of > considerable importance for the prevention of phone-tapping." > > source: http://www.snom.com/en/company/statement/security/ > > > Business recommendation: > ======================== > A short security crash test resulted in multiple critical security > vulnerabilities within all desktop IP phones of snom and all firmware > versions. > > There exist highly critical attack vectors as the IP phones can be > completely > compromised (root) by an external attacker. It is possible to e.g. > > * add a backdoor to the system which will even survive a factory reset! > * remotely activate the built-in microphone in order to surveil the room > where > the phone is located, > * tap into phone calls made or received by the compromised phone (e.g. by > installing a sniffer on the phone), > * redirect phone numbers to premium rate numbers which may result in high > costs, > * use the phone as a jump-host into the internal network and attack other > systems. > > It is highly recommended by SEC Consult not to use this product until a > thorough security review of the firmware has been performed by security > professionals and all identified issues have been resolved. > > > Vulnerability overview/description: > =================================== > 1) Multiple cross site scripting vulnerabilities > ------------------------------------------------ > The device's web interface suffers from multiple reflected & stored cross > site > scripting vulnerabilities, which may allow an attacker to gain unauthorized > access to the admin interface and further compromise the phone. > > > 2) Path traversal filter bypass > ------------------------------- > The firmware has a rudimentary filter against path traversal attacks within > URL parameters. E.g. "../" characters within a parameter value will be > filtered. This can be easily bypassed and potentially exploited for further > attacks on the system (e.g. XML minibrowser or action URL features). > > > 3) Directory traversal & privilege escalation > --------------------------------------------- > It is possible to directly access the file system via path/directory > traversal > attacks within the URL. In order to exploit it, a certain file extension > has > to be added and cut off via a null byte which must not be transmitted in > URL > encoded form. > > Attackers are then able to easily gain access to sensitive files such as > the > snom phone configuration file which includes all passwords in cleartext, > even > for the admin user account (admin mode) which should not be accessible to a > low privileged user. > > > 4) Command execution via VPN profiles > ------------------------------------- > The phone's firmware supports OpenVPN profiles and the configuration can be > uploaded via a tarball from a remote webserver. Admin access in the web > GUI is > needed which can be gained by exploiting other vulnerabilities, such as 3) > and > 5). > By combining more identified vulnerabilities, even a remote attacker would > be > able to compromise the internal phone, e.g. add a XSS payload via CSRF in > order to gain access to the admin mode password, then install the malicious > OpenVPN profile. > > The attacker can prepare a malicious OpenVPN configuration file with shell > commands in order to execute arbitrary commands on the IP phone with > highest > access rights on the operating system (root). > > There exist highly critical attack vectors after gaining root access to the > phone: > * add a backdoor to the system which will even survive a factory reset! > * remotely activate the built-in microphone in order to surveil the room > where > the phone is located, > * tap into phone calls made or received by the compromised phone, > * use the phone as a jump-host into the internal network and attack other > systems, > * etc. > > This can also be exploited via TR069 or auto provisioning by a > man-in-the-middle > attacker! This can be achieved via the attacks described in 8). > > > 5) Authentication bypass & privilege escalation > ----------------------------------------------- > Unprivileged users (non-admin accounts) have the ability to change the > settings for functions keys or action URLs on the phone. Attackers are > able to > exploit those features in order to gain administrative access rights on the > web GUI and then exploit further vulnerabilities again, e.g. 4). > > The webserver does not check for any user credentials when accessed via > localhost. By reconfiguring a function key or action URL to submit a > request > to localhost, it is possible to alter any configuration setting, e.g. > overwrite the current admin-mode password and therefore gain admin access > rights! > > This vulnerability is also automatically exploitable via CSRF, local > access to > the phone (e.g. for pressing a function key) is _not_ required! > > Further short tests have shown, that an attacker could also use the request > for altering the settings by directly accessing the IP address over the > network. The bypass via localhost was not necessary. This can be achieved > by > sending the same malicious request multiple times. > > > 6) Cross-site request forgery issues > ------------------------------------ > Attackers are able to remotely change settings, e.g. the admin mode > password, > on the device via CSRF attacks. Furthermore, it is possible to initiate > arbitrary phone calls, e.g. to premium rate numbers, via CSRF! > > Short tests have shown that the anti-CSRF feature "use_hidden_tags" was not > effective in the tested firmware version. > > > 7) Remote firmware update by unprivileged users > ----------------------------------------------- > Unprivileged users are able to perform a firmware update via the web GUI. > This is also exploitable for a remote attacker using CSRF! A local attacker > could otherwise just simply boot the phone. > An attacker would potentially be able to downgrade to a certain older > firmware, in order to make older security bugs for exploitation available > again. The phone presents the unprivileged user an error message, that > admin > access is required. But the phone will automatically perform the firmware > update anyways! > > > 8) Plaintext provisioning through snom servers & weak device identifier > ----------------------------------------------------------------------- > Every IP phone contacts the provisioning server of snom at > "provisioning.snom.com" (IP: 80.237.155.31) for an initial setup phase or > after a factory reset in order to retrieve the auto-provisioning URL for > the > TR069 server of the ISP. This connection is not secured and uses plaintext > HTTP communication. > > Man-in-the-middle attackers (e.g. TAO/QUANTUM attacks, DNS or BGP > hijacking, > etc.) can manipulate those requests, use their own TR069 server and > install a > backdoor on the phone (e.g. see 4) and afterwards provide the real TR069 > URL > for the ISP. The backdoor will survive the new settings/resets or firmware > updates and be available to the attacker. > > > Furthermore, the phone identifies itself only via the last three bytes of > the > MAC address, which can easily be brute-forced. An attacker would be able to > retrieve all TR069 URLs of the ISPs and he could then potentially further > attack those systems. > > > > Proof of concept: > ================= > Detailed proof of concept information has been removed from this advisory. > This section will hence only give an overview regarding the > vulnerabilities. > > 1) Multiple cross site scripting vulnerabilities > ------------------------------------------------ > The following payload can be used within the [removed] parameter in order > to permanently store JavaScript within [removed]. This is also possible by > importing [removed] contents via CSV files: > [payload removed] > > The following URL automatically adds a new entry to the phonebook which > contains JS code. This is also exploitable via CSRF to automatically insert > malicious code without user interaction: > [URL removed] > > > The following URL is also exploitable because the webserver does not > filter error messages. Browsers that do not url-encode the input are > affected > (e.g. older IE versions such as v6): > [URL removed] > > > > 2) Path traversal filter bypass > ------------------------------- > In order to bypass the "../" filter, the following can be used as an > example: > [payload removed] > > The string [removed] at the end is necessary, otherwise the basename will > be > duplicated by the system. > > > 3) Directory traversal & privilege escalation > --------------------------------------------- > The following URL can be used to gain access to the file /etc/passwd by > combining a real null byte (not URL encoded %00), e.g. by using burp proxy > hex > mode, with certain appended file extensions: > [URL removed] > > The following URL allows an attacker access to SIP credentials, admin mode > password and other configuration settings in plaintext of the snom > config.xml > file: > [URL removed] > > > > 4) Command execution via VPN profiles > ------------------------------------- > The following OpenVPN profile can be used in order to open a reverse shell > to > the attacker's system. The attacker will gain the highest access rights on > the > phone (root): > dev tun > proto tcp > script-security 2 > remote $someArbitraryOpenVPNIP 443 > cipher AES-128-CBC > auth SHA1 > tls-verify [payload removed] > resolv-retry infinite > nobind > persist-key > persist-tun > client > verb 3 > [...] > > In order to exploit it, any publicly available OpenVPN server can be > misused > with any credentials, as the payload is already executed during the initial > TLS setup phase. > > It is easily possible to install a backdoor on the phone because the flash > storage is writable. SEC Consult tested this by altering the init script > "[removed]" and added a SSH daemon (as an example, any command can be > run) which will be started on each boot. The init script does not get > overwritten even after a factory reset, hence the backdoor can still be > accessed afterwards. > > > Attackers with root access can now completely compromise the phone, e.g. > alter > the configuration in order to enable call redirection to premium rate > numbers, > access the microphone, install a sniffer in order to record > incoming/outgoing > phone calls, or attack other internal systems, etc. > > > 5) Authentication bypass & privilege escalation > ----------------------------------------------- > By using the following URL to localhost as a so-called "action URL" > associated > to a function key on the device, it is possible to gain administrative > access > rights because the admin-mode password will be set to an > attacker-controlled > value: > > [URL removed] > > This also works when "restrict_uri_queries" and "use_hidden_tags" are set > to > "on", sometimes the function key has to be pressed multiple times then. > > See vulnerability 6) for infos on how to "press" the function key remotely > via > CSRF. > > By requesting the following URL with the direct IP address (not localhost) > repeatedly, it was also possible to gain access to admin mode: > > [URL removed] > > > 6) Cross-site request forgery issues > ------------------------------------ > The following URL can be used for CSRF attacks in order to initiate phone > calls to arbitrary numbers (e.g. premium rate): > [URL removed] > > > The following URL will change the function key setting in order to change > the > admin mode password (see 5) via CSRF: > > a) URL for setting the function key value: > [URL removed] > > b) URL for saving the function key modifications: > [URL removed] > > c) URL for automatically executing the command of the function key "P1": > [URL removed] > > > By exploiting other issues in combination with CSRF, such as XSS and the > OpenVPN command execution flaw, it is possible to remotely compromise the > phone via CSRF. > > > 7) Remote firmware update by unprivileged users > ----------------------------------------------- > The following URL can be used in order to load another firmware onto the > device. The device will immediately switch to the firmware download mode > even > when accessed as unprivileged user, although the phone prints an error > message > that admin-mode access is required: > > [URL removed] > > > 8) Plaintext provisioning through snom servers & weak device identifier > ----------------------------------------------------------------------- > No proof of concept necessary, wireshark shows plaintext communication. > > > Vulnerable / tested versions: > ============================= > The IP phone snom 710 has been tested during a short security evaluation > crash > test with firmware version 8.7.4.7a pre-installed. > > Snom confirmed that _all_ older firmware versions are affected by the > documented > security vulnerabilities except the current new release 8.7.5.15! > > Although snom IP phone 710 has been tested, also _all_ other snom desktop > IP phone > products (e.g. 3xx, 7xx, 8xx, etc) are affected! > > > Vendor contact timeline: > ======================== > 2014-10-31: Contacting vendor through office@...m.com, requesting security > contact, attaching responsible disclosure policy & encryption > keys > 2014-11-04: No answer, contacting support@...m.com, sales@...m.com & > marketing@...m.com, attaching responsible disclosure policy & > encryption keys > 2014-11-06: Calling German office, trying to reach a security contact, no > useful information received > Contacting other direct contacts of snom via Sales > 2014-11-07: Receiving contact for security communication via Sales, > exchanging > encryption keys and sending encrypted security advisory to > given > contact > 2014-11-18: Requesting status update - vulnerabilities have been forwarded > to > developers and are being processed > 2014-11-28: Telco with new technical snom contact > 2014-12-08 - 2014-12-11: Answering questions of snom regarding some > vulnerabilities, postponing advisory release deadline to 13th > January 2015, more time needed > 2014-12-30: Requesting status update > 2015-01-05: Last fixes are already in progress, scheduled for 13th January, > receiving document containing detailed information regarding > the > fixes > 2015-01-07: Asking which firmware versions and products are affected > 2015-01-08: Calling snom, verifying affected products > 2015-01-08: Sending adjusted advisory to snom > 2015-01-08: Informing CERT.at and CERT-Bund Germany (BSI) about pending > release > 2015-01-13: Coordinated release of security advisory > > > > Solution: > ========= > The vendor provides a new firmware version v8.7.5.15 and urges all users to > _immediately_ upgrade to this version! > > Vendor security note & firmware download: > http://wiki.snom.com/8.7.5.15_OpenVPN_Security_Update > > Older firmware branches will not be patched and the upgrade to this new > version is therefore absolutely necessary for all users! > > > According to the vendor, the OpenVPN binary will be removed from the > firmware > per default and can be loaded as a small firmware update afterwards if > necessary (see vendor security note above). Users of the OpenVPN feature > will > get a warning as they will be affected by the identified vulnerability > again > after enabling the feature. > > > Workaround: > =========== > No workaround available. The vendor urges all customers to immediately > upgrade > the firmware of all snom IP phones. > > > Advisory URL: > ============= > https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SEC Consult Vulnerability Lab > > SEC Consult > Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich > > Headquarter: > Mooslackengasse 17, 1190 Vienna, Austria > Phone: +43 1 8903043 0 > Fax: +43 1 8903043 15 > > Mail: research at sec-consult dot com > Web: https://www.sec-consult.com > Blog: http://blog.sec-consult.com > Twitter: https://twitter.com/sec_consult > > Interested to work with the experts of SEC Consult? > Write to career@...-consult.com > > EOF J. Greil / @2015 > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists