We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.
We were able to identify the following vulnerabilities in the Web interface of the telephone:
- Command Injection in Picture Delete function of OpenScape Desk Phone Webportal
- Unauthenticated Arbitrary File Access in the OpenScape Desk Phone Webportal
- Memory Corruption in the OpenScape Desk Phone Webservice
- Missing Hardening of the OpenScape Desk Phone Webservice Binary
- Cross Site Request Forgery Missing in the OpenScape Desk Phone Webservice
For this blog post we will take a look at the command injection and how we exploited it.
The fixed version is V1 R2.7.0. More information about the OpenScape CP Desk Phones including release notes can be found under:
When we started the assessment, we did a quick web search to find out more information about the software and known vulnerabilities. We quickly found: The advisories from Unify as well as an older but detailed advisory from modzero and a bit more obscure, a guide from the vault 7 leak on WikiLeaks on how to backdoor the telephone.
Equipped with this knowledge we started the assessment.
The telephone can be configured via a web interface. There are two users with different privileges for the device. A high privileged administrator and a lower privileged user. The latter can configure functions like call redirection, speed dial or the background images. The administrator can set the network configuration, enable ssh access and more. We started our assessment with the low privileged user.
The upload of background images looked interesting as it gave a way to bring new files onto the filesystem and potentially specify a path outside of the intended folder. After some attempts, we tried to remove the files via the web interface and were confronted with the error message:
"rm: can't remove '/data/screensavers/../../../../tmp/file.PNG': No such file or directory"
This looked kind of like our payload "../../../../tmp/file.PNG", however as deleting the file did not work it was not really a path traversal. Instead, it kind of looked like a command injection via the file name. We tried to upload a file called "$(id)test.PNG" when we tried to delete the file we received the following error message:
"rm: can't remove '/data/screensavers/uid=0(root) gid=0(root)test.PNG': No such file or directory"
After some reconnaissance with this technique, we wanted to have a proper root shell on the device. We tried some typical back connect shells but everything we tried failed, mostly due to missing tools on the telephone. As we had the possibility to upload a file we decided to upload a ncat to have a netcat which can directly execute a command and bind it to the socket. The background image upload functionality did some basic checks if the file is indeed a png, however only the first bytes where checked if it is a valid png header. We uploaded a statically compiled ncat from our static tool box repository (thanks Niklaus) and prepended the png header. Once uploaded we removed the header and made the binary executable were able to spawn our root shell.
Cheers,
Rafael and Till