Exploit the possiblities

Grandstream Wave 1.0.1.26 Man-In-The-Middle

Grandstream Wave 1.0.1.26 Man-In-The-Middle
Posted Mar 17, 2016
Authored by Georg Lukas

The Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on phone/app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. An active attacker can redirect this request and change arbitrary values of the configuration. This allows to redirect phone calls through a malicious server, turn the phone into a bug, change passwords, and exfiltrate system logs (including the phone numbers dialed by the user).

tags | advisory, remote, arbitrary
advisories | CVE-2016-1518
MD5 | bae9a0ebba1ee3cef010efe0194b2c22

Grandstream Wave 1.0.1.26 Man-In-The-Middle

Change Mirror Download
CVE-2016-1518: GrandStream Android VoIP Phone / App Provisioning
Vulnerability
============================================================================
==

Affected app: [Grandstream Wave][GSWAVE] version 1.0.1.26 (and probably
earlier)

Affected device: [Grandstream GXV3275][GXV3275] Android desk phone, version
1.0.3.55 (probably others as well)

Classification:

* [CWE-300 Channel Accessible by Non-Endpoint][CWE300]
* [CWE-319 Cleartext Transmission of Sensitive Information][CWE319]
* CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (score 8.1)

## Summary

The Grandstream VoIP products deploy a remote provisioning mechanism that
allows to automatically set configuration elements on phone/app startup. By
default, an insecure connection to `fm.grandstream.com` is used to obtain
the
provisioning profile. An active attacker can redirect this request and
change
arbitrary values of the configuration. This allows to redirect phone calls
through a malicious server, turn the phone into a bug, change passwords, and
exfiltrate system logs (including the phone numbers dialed by the user).
The
changes are stored locally, so a single successful attack is sufficient to
gain permanent control of the device.

## Details

Grandstream devices are meant to be deployed in corporate environments,
where
central manageability is key. Therefore, they offer an auto-provisioning
mechanism that allows central configuration of the VoIP and administrative
settings, both in the physical products (Android-based desk phones like the
GXV3275), and in the app deployed via Google Play ([Grandstream
Wave][GSWAVE]).

The auto-provisioning works by regularly downloading certain configuration
files from a URL that is internally configured as the *Config Server Path*.
The default *Config Server Path* is `http://fm.grandstream.com/gs/` which
causes the phone/app to request provisioning data over an insecure channel
from a server operated by Grandstream.

The desk phone downloads the configuration every 60 seconds, the app once on
launch. Multiple configuration files are requested from the server, to allow
specific and generic configuration:

* `cfg<MAC>` (desk phone only)
* `cfg<MAC>.xml` (desk phone and app)
* `cfg.xml` (desk phone and app)

`cfg<MAC>` is a plaintext file containing key-value pairs, `cfg*.xml` are
XML
files based on a similar key-value schema. `<MAC>` is the MAC address of the
device, without byte delimiters.

Passive attackers can obtain the MAC address of the device running the VoIP
application, as well as eventual provisioning elements returned by the
server.

Active attackers can perform a Man-in-the-Middle attack (e.g. by means of
ARP
spoofing or DNS poisoning) to redirect the request to a maliciously crafted
configuration file, re-provisioning the phone with new settings.

## Impact

The provisioning file can change any aspect of the VoIP functionality. It
contains key-value pairs for different options (Pxxx), e.g. the following to
change the admin password (P2) and to redirect STUN traffic (P76):

<?xml version="1.0" encoding="UTF-8" ?>
<gs_provision version="1">
<config version="1">
<P2>haha-pwn3d</P2>
<P76>stun.mallory.evil</P76>
</config>
</gs_provision>

The GXV3275 phone has over 1600 different settings that can be configured
this
way, including:

* Changing of admin and user passwords
* Adding or replacing VoIP accounts / servers
* Turning the phone into a bug by setting a "silent" ringtone and enabling
auto-answer
* Enabling syslog logging to an attacker-controlled server
* Changing the Config Server Path URL to a server controlled by the
attacker,
allowing to push new configuration after the initial Man-in-the-Middle
attack

A full list of configuration options for different devices is available in
the
"Configuration Template" on the [GrandStream server][GSTOOLS].

## Mitigation

On the Wave app, the only way to close the issue is by disabling remote
provisioning. This can be achieved by entering an empty URL:

1. Open "GSWave"
2. Switch to the "Settings" tab
3. Open "Advanced Settings" menu
4. Set "Config Server Path" to an empty string

On the GXV3275 desk phone, it is also possible to deploy secure provisioning
by switching the provisioning mode to HTTPS and enabling certificate chain
validation.

1. Open the administrative web interface
2. Switch to the "Maintenance" tab
3. Select the "Upgrade" menu
4. Set "Validate Certificate Chain" to "**Yes**"
5. Set "Upgrade Via" to "**HTTPS**"

After disabling / securing the auto-provisioning, **all configuration
elements** should be checked for prior manipulation, e.g. by exporting and
inspecting the phone configuration file.

## Timeline

* 2015-11-24 Discovery of the issue
* 2015-11-24 Requested CVE number
* 2015-12-01 Notification of vendor
* 2016-01-20 CVE number assigned
* 2016-03-16 Public disclosure

## Contact

Please contact Dr. Georg Lukas with any further questions regarding this
vulnerability.

PDF version:
http://rt-solutions.de/images/PDFs/Veroeffentlichungen/CVE-2016-1518-insecur
e-provisioning.pdf
[GSWAVE]: https://play.google.com/store/apps/details?id=com.softphone
[GXV3275]:
http://www.grandstream.com/products/ip-video-telephony/ip-video-phones-andro
id/product/gxv3275
[GSTOOLS]: http://www.grandstream.com/support/tools
[CWE300]: https://cwe.mitre.org/data/definitions/300.html
[CWE319]: https://cwe.mitre.org/data/definitions/319.html

--
Dr.-Ing. Georg Lukas
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Tel. : (+49)221 93724 16
Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
rt-solutions.de
experts you can trust.

Sitz der Gesellschaft: Köln
Eingetragen beim Amtsgericht Köln: HRB 52645
Geschäftsführer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close