-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake Inc.
www.atstake.com
Security Advisory
Advisory Name: Multiple Vulnerabilities with Pingtel xpressa SIP
Phones
Release Date: 07/12/2002
Hardware: Pingtel xpressa SIP VoIP phones model PX-1
Software: Versions 1.2.5-1.2.7.4
Platform: VxWorks
Severity: Complete Control of the Pingtel xpressa SIP Phones
Author: Ofir Arkin ([email protected])
Josh Anderson ([email protected])
Vendor Status: Bulletin and update available (see response section)
CVE Candidate: CAN-2002-0667
CAN-2002-0668
CAN-2002-0669
CAN-2002-0670
CAN-2002-0671
CAN-2002-0672
CAN-2002-0673
CAN-2002-0674
CAN-2002-0675
Reference: www.atstake.com/research/advisories/2002/a071202-1.txt
Summary:
Pingtel develops intelligent Java-based voice-over-IP phones for
service
providers and enterprises. The vulnerabilities discussed in this
advisory
were found using Pingtel's xpressa voice-over-IP phones model PX-1
software versions 1.2.5-1.2.7.4.
The Pingtel xpressa SIP-based phone contains multiple vulnerabilities
affecting all aspects of the phone's operation. These vulnerabilities
include: remote access to the phone; remote administrative access to
the phone; manipulation of SIP signaling; multiple denials of service;
remote telnet access (complete control of the VxWorks operating
system);
local physical administrative access, and more.
Using the vulnerabilities enumerated within this advisory it is
possible
to jeopardize critical telephony infrastructure based on Pingtel's
xpressa
SIP phones. Additionally, certain vulnerabilities present a severe
risk
to an organization's entire network infrastructure.
Detailed Description:
Remote Access Vulnerabilities
The Pingtel xpressa SIP-based phone provides a web interface which
enables
remote administrative configuration of the phone's settings. In
addition
this web interface allows a remote user to place calls using SIP,
install
and remove applications, view and alter speed dial settings and
configure
call settings. This web interface is protected by HTTP basic
authentication:
base64 encoded username/password pairs.
Default Administrator Password
The Pingtel xpressa SIP-based phone ships with no administrator
password,
i.e. the password is set to null. The administrator username is
"admin" and
cannot be changed. If the password is not changed, then an attacker
can gain
both remote and local administrative access to the phone.
Remote Telnet Access
Potentially the most damaging issue is the presence of a Telnet server
allowing remote administrative access to the VxWorks operating system.
This
access is only available once a password has been set for the "admin"
account, trivially accomplished by using the web interface user
management
feature. This access allows a remote attacker to abuse the telephone
no
longer as merely a VoIP device but rather as a fully POSIX compliant
network device with storage space, bandwidth and a CPU.
Abusing the Web Interface - Manipulating Signaling
Using the default administrator password an attacker can successfully
authenticate to the web server. Administrator access allows an
attacker
complete control over the phone's settings. These settings include the
configuration of an arbitrary SIP proxy, an arbitrary SIP redirect
server and other SIP entities. By manipulating one or more of these
settings an attacker can gain complete control over the SIP signaling
path, leading to, among other things, complete control over the VoIP
audio stream. This can be done using a malicious SIP proxy, a
malicious
SIP redirect server, and/or a malicious SIP Registrar.
Abusing the Web Interface - Hijacking Calls
Using the web interface an authenticated user can alter the Call
Forwarding settings. Setting all calls to be forwarded to another SIP
URL or phone number enables an attacker to divert all telephone
traffic to a 3rd party.
When call forwarding is activated no notification is presented to the
user of either incoming calls, or diverted calls.
Administrative Access Required:
A. Changing the SIP Listening Ports
Setting the SIP_TCP_PORT and the SIP_UDP_PORT to the same non-zero
non-default value will result in a denial of service condition against
all incoming calls using either TCP or UDP as the transport protocol
for SIP.
B. Requiring Authentication of Incoming Calls
Changing the value of SIP_AUTHENTICATE_SCHEME to either Basic or
Digest
forces the authentication of incoming calls.
When authentication of a call is required neither party is informed of
an authentication failure. The caller receives no notification of an
authentication request, and the callee receives no information of the
call attempt, nor of the authentication failure. Finally, no log is
produced of the failed call attempt.
Note: this is not RFC 2543 compliant behavior.
C. Altering the Behavior of the Web Server
Assigning 0 to the PHONESET_HTTP_PORT parameter causes the web server
to shut down. The phone's administrator will have to enable the web
server physically from each phone in order to re-enable remote access.
It is, of course, possible to change the listening port of the Web
Server. This is more of a nuisance than a security issue.
Any Authenticated User:
A. Restarting the Phone
It is possible for any user to restart the phone. After each reboot it
is approximately 45 seconds before the phone is usable.
B. Termination of Current Phone Conversation
Any user can terminate a current phone conversation by selecting which
of the listed conversations they wish to terminate and pressing the
"hangup" button.
C. Disabling the Ring Tone
An attacker is able to replace the ring tone audio file with either an
empty or a silent file; in this case no ring tone will be heard.
Combining this with altering the ALERT method settings to ring only
will create a denial of service against all incoming calls.
B. Any authenticated user can view and alter the programmed speed
dial numbers.
C. Any authenticated user can enable/disable SIP message logs and
view the message logs.
D. Any non-administrative user who attempts to alter certain portions
of the phone's configuration will be requested to authenticate,
presumably, as an administrative user. After three failed
authentication
attempts the user will be presented with the following error message:
User Not Authorized
Must be user "admin" to access this page.
Compounding this problem the Web Server does not support HTTP
digest authentication, nor does it support HTTPS.
Additionally, by altering the DNS server settings it is possible to
hijack outgoing calls dialed using a domain name, e.g.
[email protected].
Settings Update
Assigning malicious values to certain parameters prevents the phone
from booting correctly after a hard reset, e.g. assigning the value
of 0 for the SIP_UDP_PORT and the SIP_TCP_PORT parameters.
There is a cross site scripting bug in the SIP dialing facility.
The MESSAGE value will be interpreted as code. This is more of a
nuisance than a security issue.
Physical access
The Pingtel xpressa SIP phone provides a graphical user interface
which
can be used to configure certain settings. Some settings require
administrative access to be altered.
more -> menu -> factory defaults -> ok
Without requiring any authentication this will reset the phone to its
factory defaults, among them setting the administrator password to
null.
more -> apps -> MyPingtel Sign-In
The user's credentials will be the same as those registered on the
http://my.pingtel.com web site. These credentials can also be used to
login to the web interface and remotely manage the phone.
The registration process at http://my.pingtel.com is done using
arbitrary information supplied by the user. Pingtel does not verify
that the supplied user information corresponds to a phone. This
allows an attacker to register a valid user name which can then
be used with any Pingtel xpressa SIP-based phone.
If a phone is already registered to a user, an attacker, by having
physical access to the phone, can log the user out by:
More -> apps -> MyPingtel Sign-In -> signout -> ok -> ok
Then the attacker can re-register the phone with his fake credentials:
More -> apps -> MyPingtel Sign-In
The attacker will now have remote access to the phone and will be
able to do a number of things as an authenticated user.
more -> apps -> prefs -> Network Settings
and entering the admin password (either the default one or the
one that was gleaned from the network). The settings that can be
changed include DHCP versus a static IP address, configuration of
DNS servers, time server configuration and quality of service.
An attacker can assign the phone a different static IP and cause a
denial of service on incoming calls, or set the phone to an incorrect
IP address and cause a complete denial of service.
Assigning an incorrect IP address for the DNS server will cause a
denial of service to outgoing calls dialed using a domain name
server, e.g. [email protected].
Another possible denial of service is assigning a different
quality of service value.
More -> apps -> prefs -> myxpressa Web
and entering the administrator password (either the default or
gleaned from sniffed traffic). The "enable web server?" parameter
can be unchecked or the listening port altered to a non-zero
non-default value. The phone's administrator will have to enable
the web server physically from the phone in order to re-enable
remote access.
Unless the local administrator explicitly terminates his
authentication
via the "ok" or "cancel" buttons he will remain logged in
indefinitely.
There is no time out! Therefore another user will be able to
arbitrarily alter the settings the administrator logged in to change.
Operational Aspects
Ignoring ICMP Error Messages
After the establishment of a session any ICMP error messages will be
ignored. If connectivity to one of the participating parties is
severed
the phone will not terminate the call nor explicitly notify the user.
ARP Refresh Problem
After the Pingtel xpressa SIP-based phone has made an ARP request it
will consider the ARP reply canonical. It will not perform further
ARP requests for this IP address. This issue relates to the
underlying VxWorks operating system.
Firmware Upgrade
The phone firmware can be upgraded without administrative privileges.
Vendor Response:
Vendor was notified of these issues on May 28, 2002. In response to the
@stake security advisory, Pingtel has created a document named "Best
Practices for Deploying Pingtel phones." This document is posted
in the "Support" section of Pingtel Corp's web site
(http://www.pingtel.com/s_docadmin.jsp). In addition a point by point
response to the @stake advisory is available at:
(http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp).
Temporary Solution:
Pingtel recommends following the "Best Practices for Deploying Pingtel
Phones" document made available on their corporate web site
(http://www.pingtel.com/s_docadmin.jsp). Pingtel also recommends
upgrading to the v2.0.1 software release made available for download
from the support section of Pingtel's web site at:
(http://www.pingtel.com/s_upgrades.jsp). While this upgrade does not
address all of the issues raised by the @stake advisory further
planned
upgrades for the end of July and the end of 2002 will address the
remaining issues; providing Digest-based authentication and
HTTPS-based
communication respectively.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the
following names to these issues. These are candidates for inclusion
in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
CAN-2002-0667 Default administrator password
CAN-2002-0668 Abusing Call Forwarding to hijack calls
CAN-2002-0669 Incoming Call authentication denial-of-service
CAN-2002-0670 HTTP Authentication using Base64
CAN-2002-0671 Downloading Phone Applications from non-trusted
entities
CAN-2002-0672 Gaining local physical access to the phone by
resetting the phone to it's factory defaults
CAN-2002-0673 Abusing the phone's enrollment process to gain local
and remote access to the phone
CAN-2002-0674 Authentication leakage
CAN-2002-0675 Firmware upgrade vulnerability
Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2002 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBPS7gdEe9kNIfAm4yEQJYoACePVrxme9mEe7muEoI0GGt56bsJzMAoJty
2Xf8P+u5y+mjs1QiC5ZACP04
=J9XS
-----END PGP SIGNATURE-----