Exploits / Vulnerability Discovered : 2021-12-06 |
Type : remote |
Platform : hardware
This exploit / vulnerability Auerswald compact 8.0b multiple backdoors is for educational purposes only and if it is used you will do on your own risk!
RedTeam Pentesting discovered several backdoors in the firmware for the
Auerswald COMpact 5500R PBX. These backdoors allow attackers who are
able to access the web-based management application full administrative
access to the device.
"Fully modular VoIP appliance for more efficient communication processes
With the COMpact 5500R, you are originally equipped for everyday
business - now and in the future.
The fully modular architecture with 80 IP channels and all the functions
of a large ITC server allows up to 112 subscribers and thus scales with
your company.
Continuous maintanance and expansion of the system software makes this
versatile IP server a future-proof investment in any business
communication."
(from the vendor's homepage)
More Details
============
Two backdoor passwords were found in the firmware of the COMpact 5500R
PBX. One backdoor password is for the secret user "Schandelah", the
other can be used for the highest-privileged user "Admin". No way was
discovered to disable these backdoors.
Proof of Concept
================
The firmware for the COMpact 5500R can be downloaded from the vendor's
homepage[1]. The following details refer to firmware version 7.8A, but
the latest firmware at the time of writing (8.0B) is affected as well.
Inspecting the downloaded file reveals that it is compressed and can be
extracted with the program "gunzip":
------------------------------------------------------------------------
$ file 7_8A_002_COMpact5500.rom
7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23
15:04:43 2020, from Unix, original size 196976698
Analysing the resulting file again shows that it is an image file in the
format required by the bootloader "Das U-Boot"[2], a popular bootloader
for embedded devices:
The PBX runs the web server lighttpd[3], the configuration files can be
found in the folder "/opt/auerswald/lighttpd". The web server forwards
most requests via FastCGI to the program "/opt/auerswald/web/webserver".
This program can then be analysed, for example using the reverse
engineering program Ghidra[4].
The manual for the PBX reveals that in order to manage the device, users
need to log in with the username "sub-admin". When this string is
searched within the program in Ghidra, the function which checks
passwords on login can be identified.
It can easily be seen that besides the username "sub-admin" the function
also checks for the hard-coded username "Schandelah", which is the
village of Auerswald's headquarter. Further analysis revealed that the
corresponding password for this username is derived by concatenating the
PBX's serial number, the string "r2d2" and the current date, hashing it
with the MD5 hash algorithm and taking the first seven lower-case hex
chars of the result.
All data needed to derive the password can be accessed without
authentication by requesting the path "/about_state", which is also used
on the website the PBX redirects users to who abort the password prompt
(shortened and formatted to increase readability):
The returned access level is "Haendler" (reseller). After login, the web
server redirects to a special service page at the path
"/statics/html/page_servicetools.html". Among other things, it allows to
download a backup of all data on the device, configure audio recording
and reset the password, PIN and token for the user "Admin". Accessing
regular administrative functions is not possible directly with this user
account.
When inspecting the password checking function, a second backdoor can be
found. When the username "Admin" is specified, the given password is
tested against the configured password as well as a password derived in
a similar way from the PBX's serial number, the string "r2d2", the
current date and the configured language. The MD5 hash is taken and the
specified password is tested against the first seven characters of the
lower case hexadecimal hash.
The backdoor password for the "Admin" user can be calculated as follows:
Disable or restrict access to the web-based management interface if
possible.
Fix
===
Upgrade to a firmware version which corrects this vulnerability.
Security Risk
=============
By inspecting the firmware for the COMpact 5500R PBX, attackers can
easily discover two backdoor passwords. One password is for the secret
user account with the username "Schandelah", the other works as an
alternative password for the user "Admin". Using the backdoor, attackers
are granted access to the PBX with the highest privileges, enabling them
to completely compromise the device. The passwords are derived from the
serial number, the current date and the configured language.
The backdoor passwords are not documented. They secretly coexist with a
documented password recovery function supported by the vendor. No way
was found to disable the backdoor access.
All information needed to derive the passwords can be requested over the
network without authentication, so attackers only require network access
to the web-based management interface.
Due to the ease of exploitation and severe consequences, the backdoor
passwords are rated as a high risk.
Timeline
========
2021-08-26 Vulnerability identified
2021-09-01 Customer approved disclosure to vendor
2021-09-10 Vendor notified
2021-09-10 CVE ID requested
2021-09-10 CVE ID assigned
2021-10-05 Vendor provides access to device with fixed firmware
2021-10-11 Vendor provides fixed firmware
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
2021-12-06 Advisory published
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/