Product: Verizon voicewing combined with Linksys PAP2-VN
Reported by: Haavar Valeur
Status: Vendor unwilling to address the problem
Reported: Mar 15, 2006
I found a way it is possible to make and receive calls from other Verizon accounts.
The problem is that Verizon publishes encrypted configuration files containing the username and password. These files are published through tftp and http, and are publicly readable. A vulnerability is created because the PAP2-VN adapter trusts the web server to give it the correct file. The PAP2 adapter accepts and decrypts configuration files for other accounts if they are available at the URI where the adapter expects to find it's configuration file.
The following steps can be made by anyone with a PAP2-VN adapter to access random users accounts:
1) Create a subnet that you are able to isolate from the internet
2) Block all TFTP access from the subnet to the Internet. This will make the adapter failover to http (I did not bother to set up a tftp server).
3) Redirect all HTTP request made from the subnet to a web server you control (possible with e.g. iptables)
4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to get the config file.
5) Look in the web server access log or tcpdump to find what URL the PAP2 tries to access on the web server
6) The URL should contain the MAC address of the PAP2. Try finding another valid mac by changing one of the least significant digits, and download the file from verizons web server.
7) Rename the file you downloaded to the filename the PAP2 tried to access and put it on the web server so the PAP2 will download this file.
8) The PAP2 will download and decrypt this file containing the account information of the other user and connect to the SIP server.
9) Now you can make and receive calls from another account
This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but could apply to other vendors using this adapter.