Authentication Bypass of Snom Phone Web Interface

2009-08-14T00:00:00
ID SECURITYVULNS:DOC:22322
Type securityvulns
Reporter Securityvulns
Modified 2009-08-14T00:00:00

Description

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360,

Snom370, Snom820)

Vendor: snom technology AG

CVD ID: CVE-2009-1048

Subject: Authentication Bypass of Snom Phone Web Interface

Risk: High

Effect: Remote

Author: Walter Sprenger

Date: August 13, 2009

Introduction:

The VoIP phones of snom technology AG can be configured, monitored or controlled with a browser connecting to the built in web interface. It is strongly recommended to enable authentication on the web interface and to set a strong password. By constructing a specially crafted HTTP request the authentication of the web interface can be completely bypassed.

Impact:

Access to the web interface without authentication enables a malicious user to 2: - call expensive numbers - listen to the phone conversation by capturing the network traffic - read SIP username and password - read and modify all configuration parameters of the phone - redirect phone calls to another VoIP server - activate the microphone and listen to the conversation in the room

Affected:

  • The tests have been conducted on a Snom360, Firmware versions:
  • snom360 linux 3.25/snom360-SIP 6.5.17
  • snom360 linux 3.25/snom360-SIP 6.5.18
  • snom360-SIP 7.1.30
  • snom360-SIP 7.1.35 14552
  • All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according to snom technology AG
  • Not vulnerable:
  • Firmware version 6.5.20 and higher
  • Firmware version 7.1.39 and higher
  • Firmware version 7.3.14 and higher

Technical Description:

The web interface of the Snom VoIP/SIP phones is protected by Basic Authentication or Digest Authentication. The authentication can be completely bypassed by modifying the HTTP request. A normal browser sets the request header "Host:" to the IP address or the host name that is entered in the URL field of the browser. If the request header is modified to contain the value "Host: 127.0.0.1", all pages and functions of the web interface can be reached without prompting the user to authenticate.

How to test:

curl -H "Host: 127.0.0.1" http://<IP address of phone>/ curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/

-> if the phone is vulnerable, the index page of the web interface is returned -> if the phone is not vulnerable, an "HTTP/1.1 401 Unauthorized" response is returned

Workaround / Fix:

  • Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
  • Disable the web interface until a firmware upgrade is installed

Timeline:

Vendor Notified: March 19, 2009 Vendor Status: Replied on March 19 and March 30, vulnerability confirmed
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14. Problem will be fixed in version 6. Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14 and above

References: