Snom VoIP/SIP Phone Bypass

`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# http://www.csnc.ch/en/downloads/advisories.html  
#  
#############################################################  
#  
# Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360,   
# Snom370, Snom820)  
# Vendor: snom technology AG  
# CVD ID: CVE-2009-1048  
# Subject: Authentication Bypass of Snom Phone Web Interface  
# Risk: High  
# Effect: Remote  
# Author: Walter Sprenger  
# Date: August 13, 2009  
#  
#############################################################  
  
Introduction:  
-------------  
The VoIP phones of snom technology AG can be configured, monitored  
or controlled with a browser connecting to the built in web interface.  
It is strongly recommended to enable authentication on the web  
interface and to set a strong password.   
By constructing a specially crafted HTTP request the authentication   
of the web interface can be completely bypassed.  
  
Impact:  
-------  
Access to the web interface without authentication enables a  
malicious user to [2]:  
- call expensive numbers  
- listen to the phone conversation by capturing the network traffic  
- read SIP username and password  
- read and modify all configuration parameters of the phone  
- redirect phone calls to another VoIP server  
- activate the microphone and listen to the conversation in the room  
  
Affected:  
---------  
- The tests have been conducted on a Snom360, Firmware versions:   
- snom360 linux 3.25/snom360-SIP 6.5.17  
- snom360 linux 3.25/snom360-SIP 6.5.18  
- snom360-SIP 7.1.30  
- snom360-SIP 7.1.35 14552  
- All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware   
versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according   
to snom technology AG  
- Not vulnerable:   
- Firmware version 6.5.20 and higher  
- Firmware version 7.1.39 and higher  
- Firmware version 7.3.14 and higher  
  
  
Technical Description:  
----------------------  
The web interface of the Snom VoIP/SIP phones is protected by   
Basic Authentication or Digest Authentication.  
The authentication can be completely bypassed by modifying the   
HTTP request. A normal browser sets the request header "Host:"   
to the IP address or the host name that is entered in the URL   
field of the browser. If the request header is modified to   
contain the value "Host: 127.0.0.1", all pages and functions   
of the web interface can be reached without prompting the user   
to authenticate.  
  
How to test:  
------------  
curl -H "Host: 127.0.0.1" http://<IP address of phone>/  
curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/  
  
-> if the phone is vulnerable, the index page of the web   
interface is returned  
-> if the phone is not vulnerable, an   
"HTTP/1.1 401 Unauthorized" response is returned  
  
  
Workaround / Fix:  
-----------------  
- Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above  
- Disable the web interface until a firmware upgrade is installed  
  
  
Timeline:  
---------  
Vendor Notified: March 19, 2009  
Vendor Status: Replied on March 19 and March 30, vulnerability   
confirmed   
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14.   
Problem will be fixed in version 6.  
Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14   
and above   
  
References:  
-----------  
[1]: http://www.snom.de  
[2]:  
http://www.csnc.ch/misc/files/publications/V6_attacking_voip_v1.0.pdf  
`