Snom VoIP电话Host头绕过认证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182026 漏洞类型 授权问题
发布时间 2009-08-13 更新时间 2009-08-13
CVE编号 CVE-2009-1048 CNNVD-ID CNNVD-200908-177
漏洞平台 N/A CVSS评分 10.0
# Product:   Snom VoIP/SIP Phones (Snom300, Snom320, Snom360, 
#            Snom370, Snom820)
# Vendor:    snom technology AG
# CVD ID:    CVE-2009-1048
# Subject:   Authentication Bypass of Snom Phone Web Interface
# Risk:      High
# Effect:    Remote
# Author:    Walter Sprenger
# Date:      August 13, 2009

The VoIP phones of snom technology AG can be configured, monitored
or controlled with a browser connecting to the built in web interface.
It is strongly recommended to enable authentication on the web
interface and to set a strong password. 
By constructing a specially crafted HTTP request the authentication 
of the web interface can be completely bypassed.

Access to the web interface without authentication enables a
malicious user to [2]:
- call expensive numbers
- listen to the phone conversation by capturing the network traffic
- read SIP username and password
- read and modify all configuration parameters of the phone
- redirect phone calls to another VoIP server
- activate the microphone and listen to the conversation in the room

- The tests have been conducted on a Snom360, Firmware versions: 
  - snom360 linux 3.25/snom360-SIP 6.5.17
  - snom360 linux 3.25/snom360-SIP 6.5.18
  - snom360-SIP 7.1.30
  - snom360-SIP 7.1.35 14552
- All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware versions
  below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according to snom technology AG
- Not vulnerable: 
  - Firmware version 6.5.20 and higher
  - Firmware version 7.1.39 and higher
  - Firmware version 7.3.14 and higher

Technical Description:
The web interface of the Snom VoIP/SIP phones is protected by Basic Authentication 
or Digest Authentication.
The authentication can be completely bypassed by modifying the HTTP request.
A normal browser sets the request header "Host:" to the IP address or the host name 
that is entered in the URL field of the browser. If the request header is modified
to contain the value "Host:", all pages and functions of the web interface 
can be reached without prompting the user to authenticate.

How to test:
curl -H "Host:" http://<IP address of phone>/
curl -k -H "Host:" https://<IP address of phone>/

-> if the phone is vulnerable, the index page of the web interface is returned
-> if the phone is not vulnerable, an "HTTP/1.1 401 Unauthorized" response is returned

Workaround / Fix:
- Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
- Disable the web interface until a firmware upgrade is installed

Vendor Notified:   March 19, 2009
Vendor Status:	   Replied on March 19 and March 30, vulnerability confirmed	
Vendor Response:   Problem fixed in firmware version 7.1.39/7.3.14. 
		   Problem will be fixed in version 6.
Patch available:   Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14 and above	

snom technology Snom820 7.1.35 snom technology Snom820 7.1.30 snom technology Snom820 6.5.18 snom technology Snom820 6.5.17 snom technology Snom 320 SIP Phone 3.2.5 linux