Snom VoIP电话Host头绕过认证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182026 漏洞类型 授权问题
发布时间 2009-08-13 更新时间 2009-08-13
CVE编号 CVE-2009-1048 CNNVD-ID CNNVD-200908-177
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/43130
https://cxsecurity.com/issue/WLB-2009080136
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-177
|漏洞详情
Snom是德国的一家VoIP电话厂商。SnomVoIP电话内嵌的Web接口受Basic认证或Digest认证的保护。如果远程攻击者修改了HTTP请求,就可以绕过认证。正常的浏览器会将请求头Host:设置为浏览器URL字段中的主机名。如果将请求头修改为包含有Host:127.0.0.1,就可以绕过认证访问Web界面的所有页面和功能。
|漏洞EXP
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
# Product:   Snom VoIP/SIP Phones (Snom300, Snom320, Snom360, 
#            Snom370, Snom820)
# Vendor:    snom technology AG
# CVD ID:    CVE-2009-1048
# Subject:   Authentication Bypass of Snom Phone Web Interface
# Risk:      High
# Effect:    Remote
# Author:    Walter Sprenger
# Date:      August 13, 2009
#

Introduction:
-------------
The VoIP phones of snom technology AG can be configured, monitored
or controlled with a browser connecting to the built in web interface.
It is strongly recommended to enable authentication on the web
interface and to set a strong password. 
By constructing a specially crafted HTTP request the authentication 
of the web interface can be completely bypassed.

Impact:
-------
Access to the web interface without authentication enables a
malicious user to [2]:
- call expensive numbers
- listen to the phone conversation by capturing the network traffic
- read SIP username and password
- read and modify all configuration parameters of the phone
- redirect phone calls to another VoIP server
- activate the microphone and listen to the conversation in the room

Affected:
---------
- The tests have been conducted on a Snom360, Firmware versions: 
  - snom360 linux 3.25/snom360-SIP 6.5.17
  - snom360 linux 3.25/snom360-SIP 6.5.18
  - snom360-SIP 7.1.30
  - snom360-SIP 7.1.35 14552
- All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware versions
  below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according to snom technology AG
- Not vulnerable: 
  - Firmware version 6.5.20 and higher
  - Firmware version 7.1.39 and higher
  - Firmware version 7.3.14 and higher


Technical Description:
----------------------
The web interface of the Snom VoIP/SIP phones is protected by Basic Authentication 
or Digest Authentication.
The authentication can be completely bypassed by modifying the HTTP request.
A normal browser sets the request header "Host:" to the IP address or the host name 
that is entered in the URL field of the browser. If the request header is modified
to contain the value "Host: 127.0.0.1", all pages and functions of the web interface 
can be reached without prompting the user to authenticate.

How to test:
------------
curl -H "Host: 127.0.0.1" http://<IP address of phone>/
curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/

-> if the phone is vulnerable, the index page of the web interface is returned
-> if the phone is not vulnerable, an "HTTP/1.1 401 Unauthorized" response is returned


Workaround / Fix:
-----------------
- Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
- Disable the web interface until a firmware upgrade is installed


Timeline:
---------
Vendor Notified:   March 19, 2009
Vendor Status:	   Replied on March 19 and March 30, vulnerability confirmed	
Vendor Response:   Problem fixed in firmware version 7.1.39/7.3.14. 
		   Problem will be fixed in version 6.
Patch available:   Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14 and above	

References:
-----------
[1]: http://www.snom.de
[2]: http://www.csnc.ch/misc/files/publications/V6_attacking_voip_v1.0.pdf
|受影响的产品
snom technology Snom820 7.1.35 snom technology Snom820 7.1.30 snom technology Snom820 6.5.18 snom technology Snom820 6.5.17 snom technology Snom 320 SIP Phone 3.2.5 linux
|参考资料

来源:XF
名称:snom-httphost-security-bypass(52424)
链接:http://xforce.iss.net/xforce/xfdb/52424
来源:BUGTRAQ
名称:20090812AuthenticationBypassofSnomPhoneWebInterface
链接:http://www.securityfocus.com/archive/1/archive/1/505723/100/0/threaded
来源:MISC
链接:http://www.csnc.ch/misc/files/advisories/cve-2009-1048.txt
来源:SECUNIA
名称:36293
链接:http://secunia.com/advisories/36293