#!/bin/bash # PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability # Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp # This advisory has been published following consultation with UK NISCC [http://www.niscc.gov.uk/] # Date Found: 3rd November 2006 # Date Public: 22nd January 2007 # Vulnerable: # Phones confirmed to be vulnerable: # - ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54 # - SOYO G668 Ethernet IP Phone running SIP firmware version v1.42 # The following vendors/models also use the same PA168 chipset/firmware # and are therefore most likely to be vulnerable to the same issue: # - AriaVoice # - AT-323 from ATcom # - JR168_100B from IPLink # - JR168_100W from IPLink # - JR168_200 from IPLink # - Netweb-401/402 from NetWebGroup # - OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based # - Vida some phones PA168 based # - Wuchuan HOP-1001/1002/1003 # - Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150 (PA168S chipset) # - GNET some phones PA168x based # - KE1020 Netphone (Meritline) # - ML210 Meritline # - Integrated Networks IN-1002. Found on eBay. # - ArtDio IPF-2000 and IPF-2002L phones # - Perfectone IP300 # Severity: Medium # CVE Candidate: Not assigned # Overview: # There is a problem with the way IP Phones using the PA168 chipset handle # authenticated sessions, allowing remote attackers to gain access to the # admin web console running as superuser. # Description: # When the superuser account authenticates to the admin web console, a # request such as the following is sent to the IP phone's web server: # POST /a HTTP/1.1 # Referer: http://192.168.1.100/ # Host: 192.168.1.100 # Content-Length: 31 # auth=12345678&login=+++Login+++ # At this point, the superuser session is considered *active* by the web # server. All it takes for attackers to perform an administrative task at # this point, is for them to send a well-formed request to the web server. # Since no authentication tokens or password are submitted within the HTTP # requests, anyone can perform administrative tasks while the session is # active. Even if the attacker sends the administrative requests from an # IP address different to the one used by the superuser account, the IP # Phone's web server would accept them as long as the superuser's session # is still active. # A script called "active-session-attack.sh" has been created, which # remotely checks repeatedly until a superuser account has logged on by # sending a forged superuser request every five seconds. As soon as the # superuser session becomes active, the following information will be # obtained from the settings page, and emailed to the attacker: # - IP phone's superuser password - grants administrative access # - IP phone's user password - grants restricted access # - SIP gateway hostname/IP address # - SIP account username # - SIP account PIN number # REQUEST: # POST /g HTTP/1.1 # Host: 192.168.1.100 # Content-Length: 13 # back=++Back++ # RESPONSE (output has been partially omitted for clarification): # HTTP/1.1 200 OK # Content-Length: 16727 # Content-Type: text/html # Connection: close #