[NEWS] Clipcomm CPW-100E Wireless Mobile IP Phone Open Debug Service
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 19 Jan 2006 17:22:59 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Clipcomm CPW-100E Wireless Mobile IP Phone Open Debug Service
------------------------------------------------------------------------
SUMMARY
" <http://www.clipcomm.co.kr/eng/e_product/e_product_voip_cwp100.html>
Clipcomm's Wi-Fi IP phone, CWP-100, is a low-priced wireless mobile IP
phone that enables users to make or receive phone calls over the IEEE
802.11b wireless network."
An undocumented port and tcp services in Clipcomm CPW-100E wireless mobile
IP phone allow attackers to gain information, change settings, track phone
calls and more.
DETAILS
Vulnerable Systems:
* Clipcomm CPW-100E wireless mobile IP phone Firmware version 1.1.12
(051129)
An undocumented port and debug service on TCP/60023 enables an attacker to
access without authentication the phone's configuration/debug shell via
telnet. The shell access provides the attacker with two levels of access:
1. CLIP account that allows general configuration.
2. USH shell, accessed from within the CLIP shell, that allows an
attacker to enable call tracing and debugging, conduct a factory reset,
write to registers, dump memory, etc.
Attackers can also use the "call" command under the USH shell to call
another phone under the attacker's control from the CPW-100, thereby
turning the phone into a remote monitoring device.
ADDITIONAL INFORMATION
The information has been provided by <mailto:shawnmer@xxxxxxxxx> Shawn
Merdinger.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] MPM HP-180W VoIP Wireless Desktop Phone Information Disclosure and DoS
- Next by Date: [NEWS] Senao SI-7800H VoIP Wireless Phone Information Disclosure and DoS
- Previous by thread: [NEWS] MPM HP-180W VoIP Wireless Desktop Phone Information Disclosure and DoS
- Next by thread: [NEWS] Senao SI-7800H VoIP Wireless Phone Information Disclosure and DoS
- Index(es):
Relevant Pages
- [UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... compiled and install the binary
KPopup is installed setuid root it also ... especially on a setuid root binaries. ...
To exploit this we need to do is make a shell script and call it killall, ... (Securiteam) - [TOOL] MsnShell - Covert Shell Tunneling Through MSN Protocol
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... MsnShell is a kind of covert
channel tunneling tool allowing to remotely ... shell commands and responses within the
MSN protocol and only consist of ... * Encapsulate shell commands and responses within the MSN
protocol (SHELL ... (Securiteam) - [EXPL] Cdrecord RSH SUID Shell Creation
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... This shell script
writes out and compiles a C application which sets it's ... In no event shall we be liable for
any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages. ... (Securiteam) - [TOOL] RECUB (Remote Encrypted Callback Unix Backdoor) Windows Port
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... RECUB (Remote Encrypted Callback
Unix Backdoor) is a windows port for a ... * RC4 Encrypted reverse connect shell for
XP,2k,2003. ... (Securiteam) - [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have
been discovered in phpSysInfo allowing ... the attacker to additionally inject the
$lng parameter. ... $sensor_program can *still* be used to inject active ... (Securiteam)
