Vulnerabilities and backdoors in Grandstream phones
I want to share a couple of serious vulnerabilities that I found in Grandstream telephones.
Studying the web interface of gxp21xx color phones to study their api, I came across a script to download the config to the phone, this is the script / cgi-bin / upload_cfg
Unlike other scripts, this script is not transmitted sessionid, but only the file is transmitted. A quick check through curl showed that indeed, you can use this script without authorization:
The config.txt file is a text file with a set of parameters of the form: Рхххх = уууу
Filling the file with one line “P2 = admin”, we change the admin password on the phone, after which we can log in to the web interface.
The phone has similar scripts to download the wallpaper, phone book, etc.
This vulnerability is present in gxp2130, gxp2140 and gxp2160 phones.
The next vulnerability is even worse than the first. It was already discovered after getting root access to the phone and analyzing scripts in cgi-bin.
This is the script / cgi-bin / dumpsettings, here is its contents:
As you can see, this miracle script simply sends the output of the nvram show | grep -v: STR without any hint of authorization. And nvram contains many interesting parameters, besides the config itself. And of course there are all the passwords in the clear: admin and sip accounts.
This vulnerability is in most grandstream devices (and maybe in all), including gateways.
In addition to xml configs, when provisioning, the phone can use an encrypted text config. The utility for creating such a config can be downloaded on the grandstream website. The first thing that is alarming when using this utility is that it does not ask for any password for encryption. The prov_config_dec utility is used on the phone to decrypt the config, which needs only a poppy to decrypt. Thus, decrypting the config is no problem. And some voip providers are confident in the reliability of encryption and post such configs in the public domain (for provisioning their customers' phones). By simply sorting the poppy addresses, one of the American voip providers managed to download about five hundred configs with sip accounts inside.
I decided for one to look for backdoors in the firmware. Reverse engineering of the dropbear banner shows that it is possible to log in via ssh not only under the admin user, but also under the root user, using the key. Public key carefully lies in the firmware along the path /rom/.ssh/authorized_keys
So the owners of the private key can safely log in via ssh. And having received root access to the phone, you can, for example, listen to conversations, or even just listen to what is happening around the phone, even outside the conversation.
These vulnerabilities can be found not one application, it can be:
On the Internet, I found a large number of phones that look on the Internet with their web interface, where the above vulnerabilities are perfectly exploited.
Well, if you do not want to wait for a new firmware with closed vulnerabilities (the support from the Grand Stream is very tight), then you can cut vulnerable scripts from the firmware yourself, as described here .
1. Download an arbitrary config to the phone
Studying the web interface of gxp21xx color phones to study their api, I came across a script to download the config to the phone, this is the script / cgi-bin / upload_cfg
Unlike other scripts, this script is not transmitted sessionid, but only the file is transmitted. A quick check through curl showed that indeed, you can use this script without authorization:
curl -i -F name="config.txt" -F file="@config.txt;type=text/plain" -H "Content-Disposition: form-data; name=file; filename=config.txt" http://xx.xx.xx.xx/cgi-bin/upload_cfg
The config.txt file is a text file with a set of parameters of the form: Рхххх = уууу
Filling the file with one line “P2 = admin”, we change the admin password on the phone, after which we can log in to the web interface.
The phone has similar scripts to download the wallpaper, phone book, etc.
This vulnerability is present in gxp2130, gxp2140 and gxp2160 phones.
2. Dump phone config
The next vulnerability is even worse than the first. It was already discovered after getting root access to the phone and analyzing scripts in cgi-bin.
This is the script / cgi-bin / dumpsettings, here is its contents:
#!/usr/bin/haserl
#!/bin/ash
As you can see, this miracle script simply sends the output of the nvram show | grep -v: STR without any hint of authorization. And nvram contains many interesting parameters, besides the config itself. And of course there are all the passwords in the clear: admin and sip accounts.
This vulnerability is in most grandstream devices (and maybe in all), including gateways.
3. Encrypted config
In addition to xml configs, when provisioning, the phone can use an encrypted text config. The utility for creating such a config can be downloaded on the grandstream website. The first thing that is alarming when using this utility is that it does not ask for any password for encryption. The prov_config_dec utility is used on the phone to decrypt the config, which needs only a poppy to decrypt. Thus, decrypting the config is no problem. And some voip providers are confident in the reliability of encryption and post such configs in the public domain (for provisioning their customers' phones). By simply sorting the poppy addresses, one of the American voip providers managed to download about five hundred configs with sip accounts inside.
4. The backdoor from the grand stream
I decided for one to look for backdoors in the firmware. Reverse engineering of the dropbear banner shows that it is possible to log in via ssh not only under the admin user, but also under the root user, using the key. Public key carefully lies in the firmware along the path /rom/.ssh/authorized_keys
So the owners of the private key can safely log in via ssh. And having received root access to the phone, you can, for example, listen to conversations, or even just listen to what is happening around the phone, even outside the conversation.
These vulnerabilities can be found not one application, it can be:
- Banal theft sip accounts
- Changing the name of the caller through the phone book
- Sip server substitution in order to intercept traffic and wiretapping
- Download malicious software into the phone system, for example, for recording from a microphone or for making any attacks
On the Internet, I found a large number of phones that look on the Internet with their web interface, where the above vulnerabilities are perfectly exploited.
Well, if you do not want to wait for a new firmware with closed vulnerabilities (the support from the Grand Stream is very tight), then you can cut vulnerable scripts from the firmware yourself, as described here .