title: Multiple critical vulnerabilities
product: snom IP phones
"snom technology AG develops and manufacturers Voice-over-IP (VoIP) telephones
based on open standard for enterprise communications.
[…]
The devices are suitable for use in all business environments ranging from
home offices to small- and medium-sized enterprises and large corporations.
snom also works directly with carriers, Internet Service Providers, and OEM
customers. The company is globally present through branch offices and a
partner network."
source: http://www.snom.com/en/company/about-snom/
"snom phones (hardware and software) are developed in Germany and strictly
adhere to all applicable security standards (TLS and SRTP). In contrast to
many of our competitors, snom as a German manufacturer is required to abide by
the strict German data protection regulations and laws. This is of
considerable importance for the prevention of phone-tapping."
source: http://www.snom.com/en/company/statement/security/
A short security crash test resulted in multiple critical security
vulnerabilities within all desktop IP phones of snom and all firmware
versions.
There exist highly critical attack vectors as the IP phones can be completely
compromised (root) by an external attacker. It is possible to e.g.
It is highly recommended by SEC Consult not to use this product until a
thorough security review of the firmware has been performed by security
professionals and all identified issues have been resolved.
The device's web interface suffers from multiple reflected & stored cross site
scripting vulnerabilities, which may allow an attacker to gain unauthorized
access to the admin interface and further compromise the phone.
The firmware has a rudimentary filter against path traversal attacks within
URL parameters. E.g. "…/" characters within a parameter value will be
filtered. This can be easily bypassed and potentially exploited for further
attacks on the system (e.g. XML minibrowser or action URL features).
It is possible to directly access the file system via path/directory traversal
attacks within the URL. In order to exploit it, a certain file extension has
to be added and cut off via a null byte which must not be transmitted in URL
encoded form.
Attackers are then able to easily gain access to sensitive files such as the
snom phone configuration file which includes all passwords in cleartext, even
for the admin user account (admin mode) which should not be accessible to a
low privileged user.
The phone's firmware supports OpenVPN profiles and the configuration can be
uploaded via a tarball from a remote webserver. Admin access in the web GUI is
needed which can be gained by exploiting other vulnerabilities, such as 3) and
5).
By combining more identified vulnerabilities, even a remote attacker would be
able to compromise the internal phone, e.g. add a XSS payload via CSRF in
order to gain access to the admin mode password, then install the malicious
OpenVPN profile.
The attacker can prepare a malicious OpenVPN configuration file with shell
commands in order to execute arbitrary commands on the IP phone with highest
access rights on the operating system (root).
There exist highly critical attack vectors after gaining root access to the
phone:
This can also be exploited via TR069 or auto provisioning by a man-in-the-middle
attacker! This can be achieved via the attacks described in 8).
Unprivileged users (non-admin accounts) have the ability to change the
settings for functions keys or action URLs on the phone. Attackers are able to
exploit those features in order to gain administrative access rights on the
web GUI and then exploit further vulnerabilities again, e.g. 4).
The webserver does not check for any user credentials when accessed via
localhost. By reconfiguring a function key or action URL to submit a request
to localhost, it is possible to alter any configuration setting, e.g.
overwrite the current admin-mode password and therefore gain admin access
rights!
This vulnerability is also automatically exploitable via CSRF, local access to
the phone (e.g. for pressing a function key) is not required!
Further short tests have shown, that an attacker could also use the request
for altering the settings by directly accessing the IP address over the
network. The bypass via localhost was not necessary. This can be achieved by
sending the same malicious request multiple times.
Attackers are able to remotely change settings, e.g. the admin mode password,
on the device via CSRF attacks. Furthermore, it is possible to initiate
arbitrary phone calls, e.g. to premium rate numbers, via CSRF!
Short tests have shown that the anti-CSRF feature "use_hidden_tags" was not
effective in the tested firmware version.
Unprivileged users are able to perform a firmware update via the web GUI.
This is also exploitable for a remote attacker using CSRF! A local attacker
could otherwise just simply boot the phone.
An attacker would potentially be able to downgrade to a certain older
firmware, in order to make older security bugs for exploitation available
again. The phone presents the unprivileged user an error message, that admin
access is required. But the phone will automatically perform the firmware
update anyways!
Every IP phone contacts the provisioning server of snom at
"provisioning.snom.com" (IP: 80.237.155.31) for an initial setup phase or
after a factory reset in order to retrieve the auto-provisioning URL for the
TR069 server of the ISP. This connection is not secured and uses plaintext
HTTP communication.
Man-in-the-middle attackers (e.g. TAO/QUANTUM attacks, DNS or BGP hijacking,
etc.) can manipulate those requests, use their own TR069 server and install a
backdoor on the phone (e.g. see 4) and afterwards provide the real TR069 URL
for the ISP. The backdoor will survive the new settings/resets or firmware
updates and be available to the attacker.
Furthermore, the phone identifies itself only via the last three bytes of the
MAC address, which can easily be brute-forced. An attacker would be able to
retrieve all TR069 URLs of the ISPs and he could then potentially further
attack those systems.
Detailed proof of concept information has been removed from this advisory.
This section will hence only give an overview regarding the vulnerabilities.
The following payload can be used within the [removed] parameter in order
to permanently store JavaScript within [removed]. This is also possible by
importing [removed] contents via CSV files:
[payload removed]
The following URL automatically adds a new entry to the phonebook which
contains JS code. This is also exploitable via CSRF to automatically insert
malicious code without user interaction:
[URL removed]
The following URL is also exploitable because the webserver does not
filter error messages. Browsers that do not url-encode the input are affected
(e.g. older IE versions such as v6):
[URL removed]
In order to bypass the "…/" filter, the following can be used as an example:
[payload removed]
The string [removed] at the end is necessary, otherwise the basename will be
duplicated by the system.
The following URL can be used to gain access to the file /etc/passwd by
combining a real null byte (not URL encoded %00), e.g. by using burp proxy hex
mode, with certain appended file extensions:
[URL removed]
The following URL allows an attacker access to SIP credentials, admin mode
password and other configuration settings in plaintext of the snom config.xml
file:
[URL removed]
The following OpenVPN profile can be used in order to open a reverse shell to
the attacker's system. The attacker will gain the highest access rights on the
phone (root):
dev tun
proto tcp
script-security 2
remote $someArbitraryOpenVPNIP 443
cipher AES-128-CBC
auth SHA1
tls-verify [payload removed]
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
[…]
In order to exploit it, any publicly available OpenVPN server can be misused
with any credentials, as the payload is already executed during the initial
TLS setup phase.
It is easily possible to install a backdoor on the phone because the flash
storage is writable. SEC Consult tested this by altering the init script
"[removed]" and added a SSH daemon (as an example, any command can be
run) which will be started on each boot. The init script does not get
overwritten even after a factory reset, hence the backdoor can still be
accessed afterwards.
Attackers with root access can now completely compromise the phone, e.g. alter
the configuration in order to enable call redirection to premium rate numbers,
access the microphone, install a sniffer in order to record incoming/outgoing
phone calls, or attack other internal systems, etc.
By using the following URL to localhost as a so-called "action URL" associated
to a function key on the device, it is possible to gain administrative access
rights because the admin-mode password will be set to an attacker-controlled
value:
[URL removed]
This also works when "restrict_uri_queries" and "use_hidden_tags" are set to
"on", sometimes the function key has to be pressed multiple times then.
See vulnerability 6) for infos on how to "press" the function key remotely via
CSRF.
By requesting the following URL with the direct IP address (not localhost)
repeatedly, it was also possible to gain access to admin mode:
[URL removed]
The following URL can be used for CSRF attacks in order to initiate phone
calls to arbitrary numbers (e.g. premium rate):
[URL removed]
The following URL will change the function key setting in order to change the
admin mode password (see 5) via CSRF:
a) URL for setting the function key value:
[URL removed]
b) URL for saving the function key modifications:
[URL removed]
c) URL for automatically executing the command of the function key "P1":
[URL removed]
By exploiting other issues in combination with CSRF, such as XSS and the
OpenVPN command execution flaw, it is possible to remotely compromise the
phone via CSRF.
The following URL can be used in order to load another firmware onto the
device. The device will immediately switch to the firmware download mode even
when accessed as unprivileged user, although the phone prints an error message
that admin-mode access is required:
[URL removed]
No proof of concept necessary, wireshark shows plaintext communication.
The IP phone snom 710 has been tested during a short security evaluation crash
test with firmware version 8.7.4.7a pre-installed.
Snom confirmed that all older firmware versions are affected by the documented
security vulnerabilities except the current new release 8.7.5.15!
Although snom IP phone 710 has been tested, also all other snom desktop IP phone
products (e.g. 3xx, 7xx, 8xx, etc) are affected!
2014-10-31: Contacting vendor through [email protected], requesting security
contact, attaching responsible disclosure policy & encryption keys
2014-11-04: No answer, contacting [email protected], [email protected] &
[email protected], attaching responsible disclosure policy &
encryption keys
2014-11-06: Calling German office, trying to reach a security contact, no
useful information received
Contacting other direct contacts of snom via Sales
2014-11-07: Receiving contact for security communication via Sales, exchanging
encryption keys and sending encrypted security advisory to given
contact
2014-11-18: Requesting status update - vulnerabilities have been forwarded to
developers and are being processed
2014-11-28: Telco with new technical snom contact
2014-12-08 - 2014-12-11: Answering questions of snom regarding some
vulnerabilities, postponing advisory release deadline to 13th
January 2015, more time needed
2014-12-30: Requesting status update
2015-01-05: Last fixes are already in progress, scheduled for 13th January,
receiving document containing detailed information regarding the
fixes
2015-01-07: Asking which firmware versions and products are affected
2015-01-08: Calling snom, verifying affected products
2015-01-08: Sending adjusted advisory to snom
2015-01-08: Informing CERT.at and CERT-Bund Germany (BSI) about pending release
2015-01-13: Coordinated release of security advisory
The vendor provides a new firmware version v8.7.5.15 and urges all users to
immediately upgrade to this version!
Vendor security note & firmware download:
http://wiki.snom.com/8.7.5.15_OpenVPN_Security_Update
Older firmware branches will not be patched and the upgrade to this new
version is therefore absolutely necessary for all users!
According to the vendor, the OpenVPN binary will be removed from the firmware
per default and can be loaded as a small firmware update afterwards if
necessary (see vendor security note above). Users of the OpenVPN feature will
get a warning as they will be affected by the identified vulnerability again
after enabling the feature.
No workaround available. The vendor urges all customers to immediately upgrade
the firmware of all snom IP phones.
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to [email protected]
EOF J. Greil / @2015