[Full-disclosure] ACT P202S VoIP wireless phone multiple undocumented ports/services

I disclosed the following issues at ShmooCon 2006
<http://www.shmoocon.org/&gt; during my "VoIP Wireless Phone Security
Analysis" presentation.

Thanks,
–scm

===============================================================

DATE:
16 January, 2006

VENDOR:
ACT – Advantage Century Telecommunication Corporation

VENDOR NOTIFIED:
19 October, 2005

PRODUCT:
ACT P202S VoIP wireless phone
http://www.act-tel.com.tw/_pg/products/productItem.asp?productKey=54
Firmware Version:
1.1.21on VxWorks

VULNERABILITY TITLE:
ACT P202S VoIP wireless phone multiple undocumented ports/services

DETAILS, IMPACT AND WORKAROUND:
The ACT P202S VoIP 802.11b wireless phone, version 1.01.21 on VxWorks
has three undocumented ports and extraneous services that can be
exploited by attackers.

1. Undocumented port, UDP/17185 VxWorks WDB remote debugging (wdbrpc)

2. Undocumented port, TCP/7 echo

3. Undocumented port, TCP/513 rlogin

4. Hardcoded NTP server

5. Undocumented port, UDP/17185 may allows direct access to phone
   memory and OS internals.

6. Undocumented port, TCP/7 may allow attacker to reflect sent network
   data using the echo service, potential causing impact to phone
   operation or utilized in DoS of other network devices.

7. Undocumented port, TCP/513 allows an attacker rlogin access with no
   credentials.

8. The phone configuration has a hardcoded Taiwan NTP server

CONTACT INFORMATION:
Shawn Merdinger
[email protected]