SEC Consult Vulnerability Lab Security Advisory < 20150113-0 >
=======================================================================
              title: Multiple critical vulnerabilities
            product: snom IP phones
 vulnerable version: all firmware versions <8.7.5.15, all firmware branches
                     of all snom desktop IP phones (3xx, 7xx, 8xx, etc)
                     are affected
      fixed version: 8.7.5.15 (for all desktop phones)
             impact: critical
           homepage: http://www.snom.com
              found: 2014-10-24
                 by: Johannes Greil, Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
===================

"snom technology AG develops and manufacturers Voice-over-IP (VoIP) telephones
based on open standard for enterprise communications.
[...]
The devices are suitable for use in all business environments ranging from
home offices to small- and medium-sized enterprises and large corporations.
snom also works directly with carriers, Internet Service Providers, and OEM
customers. The company is globally present through branch offices and a
partner network."

source: http://www.snom.com/en/company/about-snom/


"snom phones (hardware and software) are developed in Germany and strictly
adhere to all applicable security standards (TLS and SRTP). In contrast to
many of our competitors, snom as a German manufacturer is required to abide by
the strict German data protection regulations and laws. This is of
considerable importance for the prevention of phone-tapping."

source: http://www.snom.com/en/company/statement/security/


Business recommendation:
========================
A short security crash test resulted in multiple critical security
vulnerabilities within all desktop IP phones of snom and all firmware
versions.

There exist highly critical attack vectors as the IP phones can be completely
compromised (root) by an external attacker. It is possible to e.g.

* add a backdoor to the system which will even survive a factory reset!
* remotely activate the built-in microphone in order to surveil the room where
  the phone is located,
* tap into phone calls made or received by the compromised phone (e.g. by
  installing a sniffer on the phone),
* redirect phone numbers to premium rate numbers which may result in high
  costs,
* use the phone as a jump-host into the internal network and attack other
  systems.

It is highly recommended by SEC Consult not to use this product until a
thorough security review of the firmware has been performed by security
professionals and all identified issues have been resolved.


Vulnerability overview/description:
===================================
1) Multiple cross site scripting vulnerabilities
------------------------------------------------
The device's web interface suffers from multiple reflected & stored cross site
scripting vulnerabilities, which may allow an attacker to gain unauthorized
access to the admin interface and further compromise the phone.


2) Path traversal filter bypass
-------------------------------
The firmware has a rudimentary filter against path traversal attacks within
URL parameters. E.g. "../" characters within a parameter value will be
filtered. This can be easily bypassed and potentially exploited for further
attacks on the system (e.g. XML minibrowser or action URL features).


3) Directory traversal & privilege escalation
---------------------------------------------
It is possible to directly access the file system via path/directory traversal
attacks within the URL. In order to exploit it, a certain file extension has
to be added and cut off via a null byte which must not be transmitted in URL
encoded form.

Attackers are then able to easily gain access to sensitive files such as the
snom phone configuration file which includes all passwords in cleartext, even
for the admin user account (admin mode) which should not be accessible to a
low privileged user.


4) Command execution via VPN profiles
-------------------------------------
The phone's firmware supports OpenVPN profiles and the configuration can be
uploaded via a tarball from a remote webserver. Admin access in the web GUI is
needed which can be gained by exploiting other vulnerabilities, such as 3) and
5).
By combining more identified vulnerabilities, even a remote attacker would be
able to compromise the internal phone, e.g. add a XSS payload via CSRF in
order to gain access to the admin mode password, then install the malicious
OpenVPN profile.

The attacker can prepare a malicious OpenVPN configuration file with shell
commands in order to execute arbitrary commands on the IP phone with highest
access rights on the operating system (root).

There exist highly critical attack vectors after gaining root access to the
phone:
* add a backdoor to the system which will even survive a factory reset!
* remotely activate the built-in microphone in order to surveil the room where
  the phone is located,
* tap into phone calls made or received by the compromised phone,
* use the phone as a jump-host into the internal network and attack other
  systems,
* etc.

This can also be exploited via TR069 or auto provisioning by a man-in-the-middle
attacker! This can be achieved via the attacks described in 8).


5) Authentication bypass & privilege escalation
-----------------------------------------------
Unprivileged users (non-admin accounts) have the ability to change the
settings for functions keys or action URLs on the phone. Attackers are able to
exploit those features in order to gain administrative access rights on the
web GUI and then exploit further vulnerabilities again, e.g. 4).

The webserver does not check for any user credentials when accessed via
localhost. By reconfiguring a function key or action URL to submit a request
to localhost, it is possible to alter any configuration setting, e.g.
overwrite the current admin-mode password and therefore gain admin access
rights!

This vulnerability is also automatically exploitable via CSRF, local access to
the phone (e.g. for pressing a function key) is _not_ required!

Further short tests have shown, that an attacker could also use the request
for altering the settings by directly accessing the IP address over the
network. The bypass via localhost was not necessary. This can be achieved by
sending the same malicious request multiple times.


6) Cross-site request forgery issues
------------------------------------
Attackers are able to remotely change settings, e.g. the admin mode password,
on the device via CSRF attacks. Furthermore, it is possible to initiate
arbitrary phone calls, e.g. to premium rate numbers, via CSRF!

Short tests have shown that the anti-CSRF feature "use_hidden_tags" was not
effective in the tested firmware version.


7) Remote firmware update by unprivileged users
-----------------------------------------------
Unprivileged users are able to perform a firmware update via the web GUI.
This is also exploitable for a remote attacker using CSRF! A local attacker
could otherwise just simply boot the phone.
An attacker would potentially be able to downgrade to a certain older
firmware, in order to make older security bugs for exploitation available
again. The phone presents the unprivileged user an error message, that admin
access is required. But the phone will automatically perform the firmware
update anyways!


8) Plaintext provisioning through snom servers & weak device identifier
-----------------------------------------------------------------------
Every IP phone contacts the provisioning server of snom at
"provisioning.snom.com" (IP: 80.237.155.31) for an initial setup phase or
after a factory reset in order to retrieve the auto-provisioning URL for the
TR069 server of the ISP. This connection is not secured and uses plaintext
HTTP communication.

Man-in-the-middle attackers (e.g. TAO/QUANTUM attacks, DNS or BGP hijacking,
etc.) can manipulate those requests, use their own TR069 server and install a
backdoor on the phone (e.g. see 4) and afterwards provide the real TR069 URL
for the ISP. The backdoor will survive the new settings/resets or firmware
updates and be available to the attacker.


Furthermore, the phone identifies itself only via the last three bytes of the
MAC address, which can easily be brute-forced. An attacker would be able to
retrieve all TR069 URLs of the ISPs and he could then potentially further
attack those systems.



Proof of concept:
=================
Detailed proof of concept information has been removed from this advisory.
This section will hence only give an overview regarding the vulnerabilities.

1) Multiple cross site scripting vulnerabilities
------------------------------------------------
The following payload can be used within the [removed] parameter in order
to permanently store JavaScript within [removed]. This is also possible by
importing [removed] contents via CSV files:
   [payload removed]

The following URL automatically adds a new entry to the phonebook which
contains JS code. This is also exploitable via CSRF to automatically insert
malicious code without user interaction:
[URL removed]


The following URL is also exploitable because the webserver does not
filter error messages. Browsers that do not url-encode the input are affected
(e.g. older IE versions such as v6):
[URL removed]



2) Path traversal filter bypass
-------------------------------
In order to bypass the "../" filter, the following can be used as an example:
[payload removed]

The string [removed] at the end is necessary, otherwise the basename will be
duplicated by the system.


3) Directory traversal & privilege escalation
---------------------------------------------
The following URL can be used to gain access to the file /etc/passwd by
combining a real null byte (not URL encoded %00), e.g. by using burp proxy hex
mode, with certain appended file extensions:
[URL removed]

The following URL allows an attacker access to SIP credentials, admin mode
password and other configuration settings in plaintext of the snom config.xml
file:
[URL removed]



4) Command execution via VPN profiles
-------------------------------------
The following OpenVPN profile can be used in order to open a reverse shell to
the attacker's system. The attacker will gain the highest access rights on the
phone (root):
    dev tun
    proto tcp
    script-security 2
    remote $someArbitraryOpenVPNIP 443
    cipher AES-128-CBC
    auth SHA1
    tls-verify [payload removed]
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    client
    verb 3
    [...]

In order to exploit it, any publicly available OpenVPN server can be misused
with any credentials, as the payload is already executed during the initial
TLS setup phase.

It is easily possible to install a backdoor on the phone because the flash
storage is writable. SEC Consult tested this by altering the init script
"[removed]" and added a SSH daemon (as an example, any command can be
run) which will be started on each boot. The init script does not get
overwritten even after a factory reset, hence the backdoor can still be
accessed afterwards.


Attackers with root access can now completely compromise the phone, e.g. alter
the configuration in order to enable call redirection to premium rate numbers,
access the microphone, install a sniffer in order to record incoming/outgoing
phone calls, or attack other internal systems, etc.


5) Authentication bypass & privilege escalation
-----------------------------------------------
By using the following URL to localhost as a so-called "action URL" associated
to a function key on the device, it is possible to gain administrative access
rights because the admin-mode password will be set to an attacker-controlled
value:

[URL removed]

This also works when "restrict_uri_queries" and "use_hidden_tags" are set to
"on", sometimes the function key has to be pressed multiple times then.

See vulnerability 6) for infos on how to "press" the function key remotely via
CSRF.

By requesting the following URL with the direct IP address (not localhost)
repeatedly, it was also possible to gain access to admin mode:

[URL removed]


6) Cross-site request forgery issues
------------------------------------
The following URL can be used for CSRF attacks in order to initiate phone
calls to arbitrary numbers (e.g. premium rate):
[URL removed]


The following URL will change the function key setting in order to change the
admin mode password (see 5) via CSRF:

a) URL for setting the function key value:
[URL removed]

b) URL for saving the function key modifications:
[URL removed]

c) URL for automatically executing the command of the function key "P1":
[URL removed]


By exploiting other issues in combination with CSRF, such as XSS and the
OpenVPN command execution flaw, it is possible to remotely compromise the
phone via CSRF.


7) Remote firmware update by unprivileged users
-----------------------------------------------
The following URL can be used in order to load another firmware onto the
device. The device will immediately switch to the firmware download mode even
when accessed as unprivileged user, although the phone prints an error message
that admin-mode access is required:

[URL removed]


8) Plaintext provisioning through snom servers & weak device identifier
-----------------------------------------------------------------------
No proof of concept necessary, wireshark shows plaintext communication.


Vulnerable / tested versions:
=============================
The IP phone snom 710 has been tested during a short security evaluation crash
test with firmware version 8.7.4.7a pre-installed.

Snom confirmed that _all_ older firmware versions are affected by the documented
security vulnerabilities except the current new release 8.7.5.15!

Although snom IP phone 710 has been tested, also _all_ other snom desktop IP phone
products (e.g. 3xx, 7xx, 8xx, etc) are affected!


Vendor contact timeline:
========================
2014-10-31: Contacting vendor through office@snom.com, requesting security
            contact, attaching responsible disclosure policy & encryption keys
2014-11-04: No answer, contacting support@snom.com, sales@snom.com &
            marketing@snom.com, attaching responsible disclosure policy &
            encryption keys
2014-11-06: Calling German office, trying to reach a security contact, no
            useful information received
            Contacting other direct contacts of snom via Sales
2014-11-07: Receiving contact for security communication via Sales, exchanging
            encryption keys and sending encrypted security advisory to given
            contact
2014-11-18: Requesting status update - vulnerabilities have been forwarded to
            developers and are being processed
2014-11-28: Telco with new technical snom contact
2014-12-08 - 2014-12-11: Answering questions of snom regarding some
            vulnerabilities, postponing advisory release deadline to 13th
            January 2015, more time needed
2014-12-30: Requesting status update
2015-01-05: Last fixes are already in progress, scheduled for 13th January,
            receiving document containing detailed information regarding the
            fixes
2015-01-07: Asking which firmware versions and products are affected
2015-01-08: Calling snom, verifying affected products
2015-01-08: Sending adjusted advisory to snom
2015-01-08: Informing CERT.at and CERT-Bund Germany (BSI) about pending release
2015-01-13: Coordinated release of security advisory



Solution:
=========
The vendor provides a new firmware version v8.7.5.15 and urges all users to
_immediately_ upgrade to this version!

Vendor security note & firmware download:
http://wiki.snom.com/8.7.5.15_OpenVPN_Security_Update

Older firmware branches will not be patched and the upgrade to this new
version is therefore absolutely necessary for all users!


According to the vendor, the OpenVPN binary will be removed from the firmware
per default and can be loaded as a small firmware update afterwards if
necessary (see vendor security note above). Users of the OpenVPN feature will
get a warning as they will be affected by the identified vulnerability again
after enabling the feature.


Workaround:
===========
No workaround available. The vendor urges all customers to immediately upgrade
the firmware of all snom IP phones.


Advisory URL:
=============
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF J. Greil / @2015