[NEWS] Multiple Vulnerabilities with Pingtel xpressa SIP Phones

From: support@securiteam.com
Date: 07/12/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 12 Jul 2002 19:40:52 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities with Pingtel xpressa SIP Phones
------------------------------------------------------------------------

SUMMARY

Pingtel develops intelligent Java-based voice-over-IP phones for service
providers and enterprises. The vulnerabilities discussed in this advisory
were found using Pingtel's xpressa voice-over-IP phones model PX-1
software versions 1.2.5-1.2.7.4.

The Pingtel xpressa SIP-based phone contains multiple vulnerabilities
affecting all aspects of the phone's operation. These vulnerabilities
include remote access to the phone; remote administrative access to the
phone; manipulation of SIP signaling; multiple denials of service; remote
telnet access (complete control of the VxWorks operating system); local
physical administrative access, and more.

Using the vulnerabilities enumerated within this advisory it is possible
to jeopardize critical telephony infrastructure based on Pingtel's xpressa
SIP phones. Additionally, certain vulnerabilities present a severe risk to
an organization's entire network infrastructure.

DETAILS

Vulnerable systems:
 * Pingtel xpressa SIP VoIP phones model PX-1 versions 1.2.5-1.2.7.4

Remote Access Vulnerabilities
The Pingtel xpressa SIP-based phone provides a web interface that enables
remote administrative configuration of the phone's settings. In addition,
this web interface allows a remote user to place calls using SIP, install
and remove applications, view and alter speed dial settings and configure
call settings. This web interface is protected by HTTP basic
authentication: base64 encoded username/password pairs.

1. Default Administrator Password
The Pingtel xpressa SIP-based phone ships with no administrator password,
i.e. the password is set to null. The administrator username is "admin"
and cannot be changed. If the password is not changed, then an attacker
can gain both remote and local administrative access to the phone.

2. Remote Telnet Access
Potentially the most damaging issue is the presence of a Telnet server
allowing remote administrative access to the VxWorks operating system.
This access is only available once a password has been set for the "admin"
account, trivially accomplished by using the web interface user management
feature. This access allows a remote attacker to abuse the telephone no
longer as merely a VoIP device but rather as a fully POSIX compliant
network device with storage space, bandwidth and a CPU.

3. Abusing the Web Interface - Manipulating Signaling
Using the default administrator password an attacker can successfully
authenticate to the web server. Administrator access allows an attacker
complete control over the phone's settings. These settings include the
configuration of an arbitrary SIP proxy, an arbitrary SIP redirect server,
and other SIP entities. By manipulating one or more of these settings, an
attacker can gain complete control over the SIP signaling path, leading
to, among other things, complete control over the VoIP audio stream. This
can be done using a malicious SIP proxy, a malicious SIP redirect server,
and/or a malicious SIP Registrar.

4. Abusing the Web Interface - Hijacking Calls
Using the web interface an authenticated user can alter the Call
Forwarding settings. Setting all calls to be forwarded to another SIP URL
or phone number enables an attacker to divert all telephone traffic to a
3rd party.

When call forwarding is activated, no notification is presented to the
user of either incoming calls, or diverted calls.

5. Abusing the Web Interface - Denial of Services
An attacker can introduce denial-of-service conditions by manipulating any
of the following settings:

Administrative Access Required:
A. Changing the SIP Listening Ports
Setting the SIP_TCP_PORT and the SIP_UDP_PORT to the same non-zero
non-default value will result in a denial of service condition against all
incoming calls using either TCP or UDP as the transport protocol for SIP.

B. Requiring Authentication of Incoming Calls
Changing the value of SIP_AUTHENTICATE_SCHEME to either Basic or Digest
forces the authentication of incoming calls.

When authentication of a call is required, neither party is informed of an
authentication failure. The caller receives no notification of an
authentication request, and the callee receives no information of the call
attempt, or of the authentication failure. Finally, no log is produced of
the failed call attempt.

Note: this is not RFC 2543 compliant behavior.

C. Altering the Behavior of the Web Server
Assigning 0 to the PHONESET_HTTP_PORT parameter causes the web server to
shut down. The phone's administrator will have to enable the web server
physically from each phone in order to re-enable remote access.

It is, of course, possible to change the listening port of the Web Server.
This is more of a nuisance than a security issue.

Any Authenticated User:
A. Restarting the Phone
It is possible for any user to restart the phone. After each reboot it is
approximately 45 seconds before the phone is usable.

B. Termination of Current Phone Conversation
Any user can terminate a current phone conversation by selecting which of
the listed conversations they wish to terminate and pressing the "hang-up"
button.

C. Disabling the Ring Tone
An attacker is able to replace the ring tone audio file with either an
empty or a silent file; in this case, no ring tone will be heard.
Combining this with altering the ALERT method settings to ring only will
create a denial of service against all incoming calls.

6. Abusing the Web Interface - Information Leakage
A. Any authenticated user can perform "Call Tracking" (defined as logging
of the source and destination of all numbers called) by viewing active
phone calls: the phone number(s) used, and in some cases the participant's
names.

B. Any authenticated user can view and alter the programmed speed dial
numbers.

C. Any authenticated user can enable/disable SIP message logs and view the
message logs.

D. Any non-administrative user who attempts to alter certain portions of
the phone's configuration will be requested to authenticate, presumably,
as an administrative user. After three-failed authentication attempts the
user will be presented with the following error message:

User Not Authorized
Must be user "admin" to access this page.

7. Base64 authentication
The web interface is protected by HTTP basic authentication, base64
encoded username/password pairs. This means that web-based administration
of the phone sends the administrator's username and password in what is
essentially clear text. As such, even if the administrator password has
been changed, sniffing traffic to the web interface will glean
username/password pairs: the administrator's, and any other accounts he
adds.

Compounding this problem the Web Server does not support HTTP digest
authentication, nor does it support HTTPS.

8. DNS server
The Pingtel SIP-based phone does not store any of its applications
locally, rather it downloads them from configured locations; the default
applications are retrieved from http://appsrv.pingtel.com when it first
boots. By altering the DNS settings to point to a malicious DNS server, it
is possible to cause the Pingtel SIP-based phone to download and install a
malicious package from a different source as part of its boot sequence.

Additionally, by altering the DNS server settings it is possible to hijack
outgoing calls dialed using a domain name, e.g. user@myphone.com.

9. Settings Update
Assigning malicious values to certain parameters prevents the phone from
booting correctly after a hard reset, e.g. assigning the value of 0 for
the SIP_UDP_PORT and the SIP_TCP_PORT parameters.

10. There is a cross site-scripting bug in the SIP dialing facility.
The MESSAGE value will be interpreted as code. This is more of a nuisance
than a security issue.

Physical access
The Pingtel xpressa SIP phone provides a graphical user interface that can
be used to configure certain settings. Some settings require
administrative access to be altered.

1. Gaining Local Administrative Access
From the phone GUI, it is possible to reset the administrator password by
selecting:

More -> menu -> factory defaults -> ok

Without requiring any authentication, this will reset the phone to its
factory defaults, among them setting the administrator password to null.

2. Gaining Local Access
The phone enrollment process involves the registration of a phone user at
the http://my.pingtel.com web site. After the web registration, the user
will be able to register the phone with Pingtel using the MyPingtel
Sign-in application under:

More -> apps -> MyPingtel Sign-In

The user's credentials will be the same as those registered on the
http://my.pingtel.com web site. These credentials can also be used to
login to the web interface and remotely manage the phone.

The registration process at http://my.pingtel.com is done using arbitrary
information supplied by the user. Pingtel does not verify that the
supplied user information corresponds to a phone. This allows an attacker
to register a valid user name that can then be used with any Pingtel
xpressa SIP-based phone.

If a phone is already registered to a user, an attacker, by having
physical access to the phone, can log the user out by:
 
More -> apps -> MyPingtel Sign-In -> signout -> ok -> ok

Then the attacker can re-register the phone with his fake credentials:

More -> apps -> MyPingtel Sign-In

The attacker will now have remote access to the phone and will be able to
do a number of things as an authenticated user.

3. Denial of Service condition via Manipulated Network Settings
From the phone GUI, it is possible to change the phone's network settings.
This is done by selecting:

More -> apps -> prefs -> Network Settings

In addition, entering the admin password (either the default one or the
one that was gleaned from the network). The settings that can be changed
include DHCP versus a static IP address, configuration of DNS servers,
timeserver configuration, and quality of service.

An attacker can assign the phone a different static IP and cause a denial
of service on incoming calls, or set the phone to an incorrect IP address
and cause a complete denial of service.

Assigning an incorrect IP address for the DNS server will cause a denial
of service to outgoing calls dialed using a domain name server, e.g.
user@myphone.com.

Another possible denial of service is assigning a different quality of
service value.

4. Altering the Behavior of the Web Server
The web server can be shutdown by selecting:

More -> apps -> prefs -> myxpressa Web

In addition, entering the administrator password (either the default or
gleaned from sniffed traffic). The "enable web server?" parameter can be
unchecked or the listening port altered to a non-zero non-default value.
The phone's administrator will have to enable the web server physically
from the phone in order to re-enable remote access.

5. Authentication Leakage
Administrative access will be needed for several phone settings. These
include the Network Settings, myxpressa Web and User Maintenance.

Unless the local administrator explicitly terminates his authentication
via the "ok" or "cancel" buttons he will remain logged in indefinitely.
There is no time out! Therefore, another user will be able to arbitrarily
alter the settings the administrator logged in to change.

6. Shoulder Surfing Passwords
Password characters entered using the Pingtel xpressa SIP-based phone
keypad are displayed prior to be replaced by an asterisk. Limitations of
the keypad require this functionality. The only solution requires
restricting passwords to numeric combinations, and thus limiting the
available key space.

Operational Aspects
1. Ignoring ICMP Error Messages
After the establishment of a session, any ICMP error messages will be
ignored. If connectivity to one of the participating parties is severed,
the phone will not terminate the call nor explicitly notify the user.

2. ARP Refresh Problem
After the Pingtel xpressa SIP-based phone has made an ARP request, it will
consider the ARP reply canonical. It will not perform further ARP requests
for this IP address. This issue relates to the underlying VxWorks
operating system.

3. Firmware Upgrade
The phone firmware can be upgraded without administrative privileges.

Vendor Response:
Vendor was notified of these issues on May 28, 2002. In response to the
@stake security advisory, Pingtel has created a document named "Best
Practices for Deploying Pingtel phones." This document is posted in the
"Support" section of Pingtel Corp's web site (
<http://www.pingtel.com/s_docadmin.jsp>
http://www.pingtel.com/s_docadmin.jsp). In addition, a point by point
response to the @stake advisory is available at: (
<http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp>
http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp).

Temporary Solution:
Pingtel recommends following the "Best Practices for Deploying Pingtel
Phones" document made available on their corporate web site (
<http://www.pingtel.com/s_docadmin.jsp>
http://www.pingtel.com/s_docadmin.jsp). Pingtel also recommends upgrading
to the v2.0.1 software release made available for download from the
support section of Pingtel's web site at: (
<http://www.pingtel.com/s_upgrades.jsp>
http://www.pingtel.com/s_upgrades.jsp). While this upgrade does not
address all of the issues raised by the @stake advisory, further planned
upgrades for the end of July and the end of 2002 will address the
remaining issues; providing Digest-based authentication and HTTPS-based
communication respectively.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ofir@atstake.com> Ofir Arkin
and <mailto:josh@atstake.com> Josh Anderson.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Non admin users cant do things they need to do
    ... only the administrator can. ... Could it be tht we're just missing a load of registry settings for our ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: Is there malware on my Server?
    ... be exposing to the internet some means of authenticating to the server. ... Anonymous Access is checked and the login uses the ... Integrated Windows Authentication is checked. ... Administrador indicates hack attempts to log on with the Administrator ...
    (microsoft.public.windows.server.security)
  • Re: Scheduled Tasks - Strange Permissions Issue
    ... administrator account in order to browse the local website on the server. ... handlers for authentication are noted so "uniquely" as you have said. ... the Logon Process is the weird unicode and the ...
    (microsoft.public.windows.server.security)
  • Re: Alternative Access Mapping User Prompts
    ... you'd better to check the other authentication settings: ... \par - IIS Authentication Settings is Integrated Windows authentication - NTLM ... \par Microsoft Global Technical Support Center ... \par> What every SharePoint administrator needs to know about Alternate Access ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Scheduled Tasks - Strange Permissions Issue
    ... I actually had to log into the server as the account running the scheduled job, then open IE and disable the "Integrated Windows Authentication" option. ... It was such an easy solution because I had to do the same exact thing to the administrator account in order to browse the local website on the server. ... the Logon Process is the weird unicode and the Authentication is 'NTLM'. ...
    (microsoft.public.windows.server.security)