-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

                            @stake Inc. 
                          www.atstake.com 

                         Security Advisory 

Advisory Name: Multiple Vulnerabilities with Pingtel xpressa SIP Phones 
 Release Date: 07/12/2002 
     Hardware: Pingtel xpressa SIP VoIP phones model PX-1 
     Software: Versions 1.2.5-1.2.7.4 
     Platform: VxWorks 
     Severity: Complete Control of the Pingtel xpressa SIP Phones 
       Author: Ofir Arkin (ofir@atstake.com) 
               Josh Anderson (josh@atstake.com) 
Vendor Status: Bulletin and update available (see response section) 
CVE Candidate: CAN-2002-0667 
               CAN-2002-0668 
               CAN-2002-0669 
               CAN-2002-0670 
               CAN-2002-0671 
               CAN-2002-0672 
               CAN-2002-0673 
               CAN-2002-0674 
               CAN-2002-0675 
    Reference: www.atstake.com/research/advisories/2002/a071202-1.txt 

Summary: 
Pingtel develops intelligent Java-based voice-over-IP phones for service 
providers and enterprises. The vulnerabilities discussed in this advisory 
were found using Pingtel's xpressa voice-over-IP phones model PX-1 
software versions 1.2.5-1.2.7.4. 

The Pingtel xpressa SIP-based phone contains multiple vulnerabilities 
affecting all aspects of the phone's operation. These vulnerabilities 
include: remote access to the phone; remote administrative access to 
the phone; manipulation of SIP signaling; multiple denials of service; 
remote telnet access (complete control of the VxWorks operating system); 
local physical administrative access, and more. 

Using the vulnerabilities enumerated within this advisory it is possible 
to jeopardize critical telephony infrastructure based on Pingtel's xpressa 
SIP phones. Additionally, certain vulnerabilities present a severe risk 
to an organization's entire network infrastructure. 

Detailed Description: 

Remote Access Vulnerabilities 

The Pingtel xpressa SIP-based phone provides a web interface which enables 
remote administrative configuration of the phone's settings. In addition 
this web interface allows a remote user to place calls using SIP, install 
and remove applications, view and alter speed dial settings and configure 
call settings. This web interface is protected by HTTP basic authentication: 
base64 encoded username/password pairs. 

1. Default Administrator Password 
The Pingtel xpressa SIP-based phone ships with no administrator password, 
i.e. the password is set to null. The administrator username is "admin" and 
cannot be changed. If the password is not changed, then an attacker can gain 
both remote and local administrative access to the phone. 

2. Remote Telnet Access 
Potentially the most damaging issue is the presence of a Telnet server 
allowing remote administrative access to the VxWorks operating system. This 
access is only available once a password has been set for the "admin" 
account, trivially accomplished by using the web interface user management 
feature. This access allows a remote attacker to abuse the telephone no 
longer as merely a VoIP device but rather as a fully POSIX compliant 
network device with storage space, bandwidth and a CPU. 

3. Abusing the Web Interface - Manipulating Signaling 
Using the default administrator password an attacker can successfully 
authenticate to the web server. Administrator access allows an attacker 
complete control over the phone's settings. These settings include the 
configuration of an arbitrary SIP proxy, an arbitrary SIP redirect 
server and other SIP entities. By manipulating one or more of these 
settings an attacker can gain complete control over the SIP signaling 
path, leading to, among other things, complete control over the VoIP 
audio stream. This can be done using a malicious SIP proxy, a malicious 
SIP redirect server, and/or a malicious SIP Registrar. 

4. Abusing the Web Interface - Hijacking Calls 
Using the web interface an authenticated user can alter the Call 
Forwarding settings. Setting all calls to be forwarded to another SIP 
URL or phone number enables an attacker to divert all telephone 
traffic to a 3rd party. 

When call forwarding is activated no notification is presented to the 
user of either incoming calls, or diverted calls. 

5. Abusing the Web Interface - Denial of Services 
An attacker can introduce denial-of-service conditions by manipulating 
any of the following settings: 

Administrative Access Required: 

A. Changing the SIP Listening Ports 
Setting the SIP_TCP_PORT and the SIP_UDP_PORT to the same non-zero 
non-default value will result in a denial of service condition against 
all incoming calls using either TCP or UDP as the transport protocol 
for SIP. 

B. Requiring Authentication of Incoming Calls 
Changing the value of SIP_AUTHENTICATE_SCHEME to either Basic or Digest 
forces the authentication of incoming calls. 

When authentication of a call is required neither party is informed of 
an authentication failure. The caller receives no notification of an 
authentication request, and the callee receives no information of the 
call attempt, nor of the authentication failure. Finally, no log is 
produced of the failed call attempt. 

Note: this is not RFC 2543 compliant behavior. 

C. Altering the Behavior of the Web Server 
Assigning 0 to the PHONESET_HTTP_PORT parameter causes the web server 
to shut down. The phone's administrator will have to enable the web 
server physically from each phone in order to re-enable remote access. 

It is, of course, possible to change the listening port of the Web 
Server. This is more of a nuisance than a security issue. 

Any Authenticated User: 

A. Restarting the Phone 
It is possible for any user to restart the phone. After each reboot it 
is approximately 45 seconds before the phone is usable. 

B. Termination of Current Phone Conversation 
Any user can terminate a current phone conversation by selecting which 
of the listed conversations they wish to terminate and pressing the 
"hangup" button. 

C. Disabling the Ring Tone 
An attacker is able to replace the ring tone audio file with either an 
empty or a silent file; in this case no ring tone will be heard. 
Combining this with altering the ALERT method settings to ring only 
will create a denial of service against all incoming calls. 

6. Abusing the Web Interface - Information Leakage 
A. Any authenticated user can perform "Call Tracking" (defined as 
logging of the source and destination of all numbers called) by 
viewing active phone calls: the phone number(s) used, and in some 
cases the participant's names. 

B. Any authenticated user can view and alter the programmed speed 
dial numbers. 

C. Any authenticated user can enable/disable SIP message logs and 
view the message logs. 

D. Any non-administrative user who attempts to alter certain portions 
of the phone's configuration will be requested to authenticate, 
presumably, as an administrative user. After three failed authentication 
attempts the user will be presented with the following error message: 

User Not Authorized 

Must be user "admin" to access this page. 

7. Base64 authentication 
The web interface is protected by HTTP basic authentication, base64 
encoded username/password pairs. This means that web-based 
administration of the phone sends the administrator's username and 
password in what is essentially clear text. As such, even if the 
administrator password has been changed, sniffing traffic to the 
web interface will glean username/password pairs: the 
administrator's, and any other accounts he adds. 

Compounding this problem the Web Server does not support HTTP 
digest authentication, nor does it support HTTPS. 

8. DNS server 
The Pingtel SIP-based phone does not store any of its applications 
locally, rather it downloads them from configured locations; the 
default applications are retrieved from http://appsrv.pingtel.com 
when it first boots. By altering the DNS settings to point to a 
malicious DNS server, it is possible to cause the Pingtel SIP-based 
phone to download and install a malicious package from a different 
source as part of its boot sequence. 

Additionally, by altering the DNS server settings it is possible to 
hijack outgoing calls dialed using a domain name, e.g. user@myphone.com. 

9. Settings Update 
Assigning malicious values to certain parameters prevents the phone 
from booting correctly after a hard reset, e.g. assigning the value 
of 0 for the SIP_UDP_PORT and the SIP_TCP_PORT parameters. 

10. There is a cross site scripting bug in the SIP dialing facility. 
The MESSAGE value will be interpreted as code. This is more of a 
nuisance than a security issue. 

Physical access 

The Pingtel xpressa SIP phone provides a graphical user interface which 
can be used to configure certain settings. Some settings require 
administrative access to be altered. 
        

1. Gaining Local Administrative Access 
>From the phone GUI it is possible to reset the administrator password 
by selecting: 

more -> menu -> factory defaults -> ok 

Without requiring any authentication this will reset the phone to its 
factory defaults, among them setting the administrator password to null. 

2. Gaining Local Access 
The phone enrollment process involves the registration of a phone user 
at the http://my.pingtel.com web site. After the web registration the 
user will be able to register the phone with Pingtel using the 
Mypingtel Sign-in application under: 

more -> apps -> MyPingtel Sign-In 

The user's credentials will be the same as those registered on the 
http://my.pingtel.com web site. These credentials can also be used to 
login to the web interface and remotely manage the phone. 

The registration process at http://my.pingtel.com is done using 
arbitrary information supplied by the user. Pingtel does not verify 
that the supplied user information corresponds to a phone. This 
allows an attacker to register a valid user name which can then 
be used with any Pingtel xpressa SIP-based phone. 

If a phone is already registered to a user, an attacker, by having 
physical access to the phone, can log the user out by: 

More -> apps -> MyPingtel Sign-In -> signout -> ok -> ok 

Then the attacker can re-register the phone with his fake credentials: 

More -> apps -> MyPingtel Sign-In 

The attacker will now have remote access to the phone and will be 
able to do a number of things as an authenticated user. 

3. Denial of Service condition via Manipulated Network Settings 
>From the phone GUI it is possible to change the phone's network 
settings. This is done by selecting: 

more -> apps -> prefs -> Network Settings 

and entering the admin password (either the default one or the 
one that was gleaned from the network). The settings that can be 
changed include DHCP versus a static IP address, configuration of 
DNS servers, time server configuration and quality of service. 

An attacker can assign the phone a different static IP and cause a 
denial of service on incoming calls, or set the phone to an incorrect 
IP address and cause a complete denial of service. 

Assigning an incorrect IP address for the DNS server will cause a 
denial of service to outgoing calls dialed using a domain name 
server, e.g. user@myphone.com. 

Another possible denial of service is assigning a different 
quality of service value. 

4. Altering the Behavior of the Web Server 
The web server can be shutdown by selecting: 

More -> apps -> prefs -> myxpressa Web 

and entering the administrator password (either the default or 
gleaned from sniffed traffic). The "enable web server?" parameter 
can be unchecked or the listening port altered to a non-zero 
non-default value. The phone's administrator will have to enable 
the web server physically from the phone in order to re-enable 
remote access. 

5. Authentication Leakage 
Administrative access will be needed for several phone settings. These 
include the Network Settings, myxpressa Web and User Maintenance. 

Unless the local administrator explicitly terminates his authentication 
via the "ok" or "cancel" buttons he will remain logged in indefinitely. 
There is no time out! Therefore another user will be able to 
arbitrarily alter the settings the administrator logged in to change. 

6. Shoulder Surfing Passwords 
Password characters entered using the Pingtel xpressa SIP-based phone 
keypad are displayed prior to be replaced by an asterisk. Limitations 
of the keypad require this functionality. The only solution requires 
restricting passwords to numeric combinations, and thus limiting the 
available key space. 

Operational Aspects 

1. Ignoring ICMP Error Messages 
After the establishment of a session any ICMP error messages will be 
ignored. If connectivity to one of the participating parties is severed 
the phone will not terminate the call nor explicitly notify the user. 

2. ARP Refresh Problem 
After the Pingtel xpressa SIP-based phone has made an ARP request it 
will consider the ARP reply canonical. It will not perform further 
ARP requests for this IP address. This issue relates to the 
underlying VxWorks operating system. 

3. Firmware Upgrade 
The phone firmware can be upgraded without administrative privileges. 

Vendor Response: 

Vendor was notified of these issues on May 28, 2002. In response to the 
@stake security advisory, Pingtel has created a document named "Best 
Practices for Deploying Pingtel phones." This document is posted 
in the "Support" section of Pingtel Corp's web site 
(http://www.pingtel.com/s_docadmin.jsp). In addition a point by point 
response to the @stake advisory is available at: 
(http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp). 

Temporary Solution: 

Pingtel recommends following the "Best Practices for Deploying Pingtel 
Phones" document made available on their corporate web site 
(http://www.pingtel.com/s_docadmin.jsp). Pingtel also recommends 
upgrading to the v2.0.1 software release made available for download 
from the support section of Pingtel's web site at: 
(http://www.pingtel.com/s_upgrades.jsp). While this upgrade does not 
address all of the issues raised by the @stake advisory further planned 
upgrades for the end of July and the end of 2002 will address the 
remaining issues; providing Digest-based authentication and HTTPS-based 
communication respectively. 

Common Vulnerabilities and Exposures (CVE) Information: 

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
following names to these issues. These are candidates for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 

  CAN-2002-0667 Default administrator password 
  CAN-2002-0668 Abusing Call Forwarding to hijack calls 
  CAN-2002-0669 Incoming Call authentication denial-of-service 
  CAN-2002-0670 HTTP Authentication using Base64 
  CAN-2002-0671 Downloading Phone Applications from non-trusted entities 
  CAN-2002-0672 Gaining local physical access to the phone by 
                resetting the phone to it's factory defaults 
  CAN-2002-0673 Abusing the phone's enrollment process to gain local 
                and remote access to the phone 
  CAN-2002-0674 Authentication leakage 
  CAN-2002-0675 Firmware upgrade vulnerability 

Advisory policy: http://www.atstake.com/research/policy/ 
For more advisories: http://www.atstake.com/research/advisories/ 
PGP Key: http://www.atstake.com/research/pgp_key.asc 

Copyright 2002 @stake, Inc. All rights reserved. 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.0.3 

iQA/AwUBPS7gdEe9kNIfAm4yEQJYoACePVrxme9mEe7muEoI0GGt56bsJzMAoJty 
2Xf8P+u5y+mjs1QiC5ZACP04 
=J9XS 
-----END PGP SIGNATURE-----