ID CVE-2002-0667 Type cve Reporter cve@mitre.org Modified 2008-09-10T19:12:00
Description
Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 has a default null administrator password, which could allow remote attackers to gain access to the phone.
{"osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2002-0667"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.pingtel.com\nVendor Specific Solution URL: http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp\nOther Advisory URL: http://www.atstake.com/research/advisories/2002/a071202-1.txt\nKeyword: SIP-based\nKeyword: VOIP\nKeyword: voice-over-IP phone\nISS X-Force ID: 9562\n[CVE-2002-0667](https://vulners.com/cve/CVE-2002-0667)\nBugtraq ID: 5214\n", "modified": "2004-04-08T22:54:35", "published": "2004-04-08T22:54:35", "id": "OSVDB:5140", "href": "https://vulners.com/osvdb/OSVDB:5140", "title": "Pingtel xpressa Default Null Administrator Password", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-0668", "CVE-2002-0675", "CVE-2002-0674", "CVE-2002-0671", "CVE-2002-0667", "CVE-2002-0672", "CVE-2002-0673", "CVE-2002-0669", "CVE-2002-0670"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n @stake Inc.\r\n www.atstake.com\r\n\r\n Security Advisory\r\n\r\nAdvisory Name: Multiple Vulnerabilities with Pingtel xpressa SIP\r\nPhones \r\n Release Date: 07/12/2002\r\n Hardware: Pingtel xpressa SIP VoIP phones model PX-1\r\n Software: Versions 1.2.5-1.2.7.4\r\n Platform: VxWorks\r\n Severity: Complete Control of the Pingtel xpressa SIP Phones\r\n Author: Ofir Arkin (ofir@atstake.com)\r\n Josh Anderson (josh@atstake.com)\r\nVendor Status: Bulletin and update available (see response section)\r\nCVE Candidate: CAN-2002-0667\r\n CAN-2002-0668\r\n CAN-2002-0669\r\n CAN-2002-0670\r\n CAN-2002-0671\r\n CAN-2002-0672\r\n CAN-2002-0673\r\n CAN-2002-0674\r\n CAN-2002-0675\r\n Reference: www.atstake.com/research/advisories/2002/a071202-1.txt \r\n\r\n\r\n\r\nSummary: \r\nPingtel develops intelligent Java-based voice-over-IP phones for\r\nservice \r\nproviders and enterprises. The vulnerabilities discussed in this\r\nadvisory \r\nwere found using Pingtel's xpressa voice-over-IP phones model PX-1 \r\nsoftware versions 1.2.5-1.2.7.4.\r\n\r\nThe Pingtel xpressa SIP-based phone contains multiple vulnerabilities \r\naffecting all aspects of the phone's operation. These vulnerabilities \r\ninclude: remote access to the phone; remote administrative access to \r\nthe phone; manipulation of SIP signaling; multiple denials of service; \r\nremote telnet access (complete control of the VxWorks operating\r\nsystem); \r\nlocal physical administrative access, and more. \r\n\r\nUsing the vulnerabilities enumerated within this advisory it is\r\npossible \r\nto jeopardize critical telephony infrastructure based on Pingtel's\r\nxpressa \r\nSIP phones. Additionally, certain vulnerabilities present a severe\r\nrisk \r\nto an organization's entire network infrastructure. \r\n\r\n\r\n\r\nDetailed Description:\r\n\r\nRemote Access Vulnerabilities\r\n\r\nThe Pingtel xpressa SIP-based phone provides a web interface which\r\nenables \r\nremote administrative configuration of the phone's settings. In\r\naddition \r\nthis web interface allows a remote user to place calls using SIP,\r\ninstall \r\nand remove applications, view and alter speed dial settings and\r\nconfigure \r\ncall settings. This web interface is protected by HTTP basic\r\nauthentication: \r\nbase64 encoded username/password pairs.\r\n\r\n\r\n1. Default Administrator Password\r\nThe Pingtel xpressa SIP-based phone ships with no administrator\r\npassword, \r\ni.e. the password is set to null. The administrator username is\r\n"admin" and \r\ncannot be changed. If the password is not changed, then an attacker\r\ncan gain \r\nboth remote and local administrative access to the phone.\r\n\r\n\r\n2. Remote Telnet Access\r\nPotentially the most damaging issue is the presence of a Telnet server \r\nallowing remote administrative access to the VxWorks operating system.\r\nThis \r\naccess is only available once a password has been set for the "admin" \r\naccount, trivially accomplished by using the web interface user\r\nmanagement \r\nfeature. This access allows a remote attacker to abuse the telephone\r\nno \r\nlonger as merely a VoIP device but rather as a fully POSIX compliant \r\nnetwork device with storage space, bandwidth and a CPU. \r\n\r\n\r\n3. Abusing the Web Interface - Manipulating Signaling\r\nUsing the default administrator password an attacker can successfully \r\nauthenticate to the web server. Administrator access allows an\r\nattacker \r\ncomplete control over the phone's settings. These settings include the \r\nconfiguration of an arbitrary SIP proxy, an arbitrary SIP redirect \r\nserver and other SIP entities. By manipulating one or more of these \r\nsettings an attacker can gain complete control over the SIP signaling \r\npath, leading to, among other things, complete control over the VoIP \r\naudio stream. This can be done using a malicious SIP proxy, a\r\nmalicious \r\nSIP redirect server, and/or a malicious SIP Registrar. \r\n\r\n\r\n4. Abusing the Web Interface - Hijacking Calls\r\nUsing the web interface an authenticated user can alter the Call \r\nForwarding settings. Setting all calls to be forwarded to another SIP \r\nURL or phone number enables an attacker to divert all telephone \r\ntraffic to a 3rd party.\r\n\r\nWhen call forwarding is activated no notification is presented to the \r\nuser of either incoming calls, or diverted calls.\r\n\r\n\r\n5. Abusing the Web Interface - Denial of Services\r\nAn attacker can introduce denial-of-service conditions by manipulating \r\nany of the following settings:\r\n\r\n\r\nAdministrative Access Required:\r\n\r\nA. Changing the SIP Listening Ports\r\nSetting the SIP_TCP_PORT and the SIP_UDP_PORT to the same non-zero \r\nnon-default value will result in a denial of service condition against \r\nall incoming calls using either TCP or UDP as the transport protocol \r\nfor SIP.\r\n\r\nB. Requiring Authentication of Incoming Calls\r\nChanging the value of SIP_AUTHENTICATE_SCHEME to either Basic or\r\nDigest \r\nforces the authentication of incoming calls.\r\n\r\nWhen authentication of a call is required neither party is informed of \r\nan authentication failure. The caller receives no notification of an \r\nauthentication request, and the callee receives no information of the \r\ncall attempt, nor of the authentication failure. Finally, no log is \r\nproduced of the failed call attempt.\r\n\r\nNote: this is not RFC 2543 compliant behavior. \r\n\r\nC. Altering the Behavior of the Web Server\r\nAssigning 0 to the PHONESET_HTTP_PORT parameter causes the web server \r\nto shut down. The phone's administrator will have to enable the web \r\nserver physically from each phone in order to re-enable remote access.\r\n\r\nIt is, of course, possible to change the listening port of the Web \r\nServer. This is more of a nuisance than a security issue. \r\n\r\n\r\nAny Authenticated User:\r\n\r\nA. Restarting the Phone \r\nIt is possible for any user to restart the phone. After each reboot it \r\nis approximately 45 seconds before the phone is usable. \r\n\r\nB. Termination of Current Phone Conversation\r\nAny user can terminate a current phone conversation by selecting which \r\nof the listed conversations they wish to terminate and pressing the \r\n"hangup" button.\r\n\r\nC. Disabling the Ring Tone\r\nAn attacker is able to replace the ring tone audio file with either an \r\nempty or a silent file; in this case no ring tone will be heard. \r\nCombining this with altering the ALERT method settings to ring only \r\nwill create a denial of service against all incoming calls.\r\n\r\n\r\n6. Abusing the Web Interface - Information Leakage \r\nA. Any authenticated user can perform "Call Tracking" (defined as \r\nlogging of the source and destination of all numbers called) by \r\nviewing active phone calls: the phone number(s) used, and in some \r\ncases the participant's names.\r\n\r\nB. Any authenticated user can view and alter the programmed speed \r\ndial numbers.\r\n\r\nC. Any authenticated user can enable/disable SIP message logs and \r\nview the message logs.\r\n\r\nD. Any non-administrative user who attempts to alter certain portions \r\nof the phone's configuration will be requested to authenticate, \r\npresumably, as an administrative user. After three failed\r\nauthentication \r\nattempts the user will be presented with the following error message:\r\n\r\nUser Not Authorized\r\n\r\nMust be user "admin" to access this page.\r\n\r\n\r\n7. Base64 authentication \r\nThe web interface is protected by HTTP basic authentication, base64 \r\nencoded username/password pairs. This means that web-based \r\nadministration of the phone sends the administrator's username and \r\npassword in what is essentially clear text. As such, even if the \r\nadministrator password has been changed, sniffing traffic to the \r\nweb interface will glean username/password pairs: the \r\nadministrator's, and any other accounts he adds.\r\n\r\nCompounding this problem the Web Server does not support HTTP \r\ndigest authentication, nor does it support HTTPS.\r\n\r\n\r\n8. DNS server\r\nThe Pingtel SIP-based phone does not store any of its applications \r\nlocally, rather it downloads them from configured locations; the \r\ndefault applications are retrieved from http://appsrv.pingtel.com \r\nwhen it first boots. By altering the DNS settings to point to a \r\nmalicious DNS server, it is possible to cause the Pingtel SIP-based \r\nphone to download and install a malicious package from a different \r\nsource as part of its boot sequence. \r\n\r\nAdditionally, by altering the DNS server settings it is possible to \r\nhijack outgoing calls dialed using a domain name, e.g.\r\nuser@myphone.com. \r\n\r\n\r\n9. Settings Update\r\nAssigning malicious values to certain parameters prevents the phone \r\nfrom booting correctly after a hard reset, e.g. assigning the value \r\nof 0 for the SIP_UDP_PORT and the SIP_TCP_PORT parameters.\r\n\r\n\r\n10. There is a cross site scripting bug in the SIP dialing facility. \r\nThe MESSAGE value will be interpreted as code. This is more of a \r\nnuisance than a security issue.\r\n\r\n\r\n\r\nPhysical access\r\n\r\nThe Pingtel xpressa SIP phone provides a graphical user interface\r\nwhich \r\ncan be used to configure certain settings. Some settings require \r\nadministrative access to be altered.\r\n \r\n\r\n1. Gaining Local Administrative Access\r\n>From the phone GUI it is possible to reset the administrator password \r\nby selecting:\r\n\r\nmore -> menu -> factory defaults -> ok \r\n\r\nWithout requiring any authentication this will reset the phone to its \r\nfactory defaults, among them setting the administrator password to\r\nnull. \r\n\r\n\r\n2. Gaining Local Access \r\nThe phone enrollment process involves the registration of a phone user \r\nat the http://my.pingtel.com web site. After the web registration the \r\nuser will be able to register the phone with Pingtel using the \r\nMypingtel Sign-in application under:\r\n\r\nmore -> apps -> MyPingtel Sign-In\r\n\r\nThe user's credentials will be the same as those registered on the \r\nhttp://my.pingtel.com web site. These credentials can also be used to \r\nlogin to the web interface and remotely manage the phone. \r\n\r\nThe registration process at http://my.pingtel.com is done using \r\narbitrary information supplied by the user. Pingtel does not verify \r\nthat the supplied user information corresponds to a phone. This \r\nallows an attacker to register a valid user name which can then \r\nbe used with any Pingtel xpressa SIP-based phone.\r\n\r\n\r\nIf a phone is already registered to a user, an attacker, by having \r\nphysical access to the phone, can log the user out by:\r\n\r\nMore -> apps -> MyPingtel Sign-In -> signout -> ok -> ok\r\n\r\nThen the attacker can re-register the phone with his fake credentials:\r\n\r\nMore -> apps -> MyPingtel Sign-In \r\n\r\nThe attacker will now have remote access to the phone and will be \r\nable to do a number of things as an authenticated user.\r\n\r\n\r\n3. Denial of Service condition via Manipulated Network Settings\r\n>From the phone GUI it is possible to change the phone's network \r\nsettings. This is done by selecting:\r\n\r\nmore -> apps -> prefs -> Network Settings\r\n\r\nand entering the admin password (either the default one or the \r\none that was gleaned from the network). The settings that can be \r\nchanged include DHCP versus a static IP address, configuration of \r\nDNS servers, time server configuration and quality of service.\r\n\r\nAn attacker can assign the phone a different static IP and cause a \r\ndenial of service on incoming calls, or set the phone to an incorrect \r\nIP address and cause a complete denial of service.\r\n\r\nAssigning an incorrect IP address for the DNS server will cause a \r\ndenial of service to outgoing calls dialed using a domain name \r\nserver, e.g. user@myphone.com. \r\n\r\nAnother possible denial of service is assigning a different \r\nquality of service value. \r\n\r\n\r\n4. Altering the Behavior of the Web Server \r\nThe web server can be shutdown by selecting:\r\n\r\nMore -> apps -> prefs -> myxpressa Web \r\n\r\nand entering the administrator password (either the default or \r\ngleaned from sniffed traffic). The "enable web server?" parameter \r\ncan be unchecked or the listening port altered to a non-zero \r\nnon-default value. The phone's administrator will have to enable \r\nthe web server physically from the phone in order to re-enable \r\nremote access.\r\n\r\n\r\n5. Authentication Leakage \r\nAdministrative access will be needed for several phone settings. These \r\ninclude the Network Settings, myxpressa Web and User Maintenance.\r\n\r\nUnless the local administrator explicitly terminates his\r\nauthentication \r\nvia the "ok" or "cancel" buttons he will remain logged in\r\nindefinitely. \r\nThere is no time out! Therefore another user will be able to \r\narbitrarily alter the settings the administrator logged in to change.\r\n\r\n\r\n6. Shoulder Surfing Passwords\r\nPassword characters entered using the Pingtel xpressa SIP-based phone \r\nkeypad are displayed prior to be replaced by an asterisk. Limitations \r\nof the keypad require this functionality. The only solution requires \r\nrestricting passwords to numeric combinations, and thus limiting the \r\navailable key space.\r\n\r\n\r\n\r\n\r\nOperational Aspects\r\n\r\n\r\n1. Ignoring ICMP Error Messages\r\nAfter the establishment of a session any ICMP error messages will be \r\nignored. If connectivity to one of the participating parties is\r\nsevered \r\nthe phone will not terminate the call nor explicitly notify the user.\r\n\r\n\r\n2. ARP Refresh Problem\r\nAfter the Pingtel xpressa SIP-based phone has made an ARP request it \r\nwill consider the ARP reply canonical. It will not perform further \r\nARP requests for this IP address. This issue relates to the \r\nunderlying VxWorks operating system.\r\n\r\n\r\n3. Firmware Upgrade\r\nThe phone firmware can be upgraded without administrative privileges. \r\n\r\n\r\n\r\nVendor Response:\r\n\r\nVendor was notified of these issues on May 28, 2002. In response to the\r\n@stake security advisory, Pingtel has created a document named "Best\r\nPractices for Deploying Pingtel phones." This document is posted \r\nin the "Support" section of Pingtel Corp's web site \r\n(http://www.pingtel.com/s_docadmin.jsp). In addition a point by point \r\nresponse to the @stake advisory is available at: \r\n(http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp). \r\n\r\n\r\n\r\nTemporary Solution:\r\n\r\nPingtel recommends following the "Best Practices for Deploying Pingtel \r\nPhones" document made available on their corporate web site \r\n(http://www.pingtel.com/s_docadmin.jsp). Pingtel also recommends \r\nupgrading to the v2.0.1 software release made available for download \r\nfrom the support section of Pingtel's web site at: \r\n(http://www.pingtel.com/s_upgrades.jsp). While this upgrade does not \r\naddress all of the issues raised by the @stake advisory further\r\nplanned \r\nupgrades for the end of July and the end of 2002 will address the \r\nremaining issues; providing Digest-based authentication and\r\nHTTPS-based \r\ncommunication respectively. \r\n\r\n\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information:\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe \r\nfollowing names to these issues. These are candidates for inclusion\r\nin \r\nthe CVE list (http://cve.mitre.org), which standardizes names for \r\nsecurity problems.\r\n\r\n CAN-2002-0667 Default administrator password\r\n CAN-2002-0668 Abusing Call Forwarding to hijack calls\r\n CAN-2002-0669 Incoming Call authentication denial-of-service\r\n CAN-2002-0670 HTTP Authentication using Base64\r\n CAN-2002-0671 Downloading Phone Applications from non-trusted\r\nentities\r\n CAN-2002-0672 Gaining local physical access to the phone by \r\n resetting the phone to it's factory defaults\r\n CAN-2002-0673 Abusing the phone's enrollment process to gain local \r\n and remote access to the phone\r\n CAN-2002-0674 Authentication leakage\r\n CAN-2002-0675 Firmware upgrade vulnerability\r\n\r\n\r\n\r\nAdvisory policy: http://www.atstake.com/research/policy/\r\nFor more advisories: http://www.atstake.com/research/advisories/\r\nPGP Key: http://www.atstake.com/research/pgp_key.asc\r\n\r\nCopyright 2002 @stake, Inc. All rights reserved.\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 7.0.3\r\n\r\niQA/AwUBPS7gdEe9kNIfAm4yEQJYoACePVrxme9mEe7muEoI0GGt56bsJzMAoJty\r\n2Xf8P+u5y+mjs1QiC5ZACP04\r\n=J9XS\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2002-07-13T00:00:00", "published": "2002-07-13T00:00:00", "id": "SECURITYVULNS:DOC:3217", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3217", "title": "@stake Advisory: Multiple Vulnerabilities with Pingtel xpressa SIP Phones", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}