Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: voip5364.htm

Cisco voice over Ip phones multiple vulnerabilities



23th May 2002 [SBWID-5364]
COMMAND

	Cisco voice over Ip phones multiple vulnerabilities

SYSTEMS AFFECTED

	Cisco 7900 line of VoIP phones, including CP-7960, CP-7940, and  CP-7910
	phones.
	

	 

PROBLEM

	In Johnathan Nightingale [http://johnath.com/] advisory :
	

	1. The Cisco 7900 series of phones include  a  built-in  web  server  on
	port  80.  The  server  provides  several  pages  of  debug  and  status
	information about the phone and is presumably  intended  for  diagnostic
	purposes. However the pages require no authentication, and some are  CGI
	scripts with exploitable errors.  The  most  glaring  of  these  is  the
	StreamingStatistics page.  Opening
	

	http://<phone-ip>/StreamingStatistics?1 

	

	will  present  a  page  of  debug  statistics  as  intended.  Requesting
	statistics on a non-existent stream,
	

	e.g. http://<phone-ip>/StreamingStatistics?7 

	

	will return a page indicating the error. However, requesting  statistics
	for a stream with sufficiently high ID will cause a  hard-reset  of  the
	phone. Testing has produced varying results, but  hard  reset  tends  to
	occur with IDs > 32768,  and  using  an  (arbitrarily  selected)  ID  of
	120000 consistently  produces  the  reset.  This  results  in  a  reboot
	process of approximately 15-30 seconds during which the phone is not  in
	service. The result is a very simple and not  at  all  packet  intensive
	DoS  possibility.  The  attack  is  further  facilitated  the   phone\'s
	willingness to provide its IP and phone number  through  the  web  page,
	allowing an attacker to walk a subnet looking for the correct  IP,  when
	targeting a specific extension.
	

	2.  Related  to  #1,   another   script   on   the   phone\'s   website,
	PortInformation has similar, though less catastrophic  input  validation
	problems.  It uses the same format as above,
	

	http://<phone-ip>/PortInformation?1 

	

	will give you information on  the  first  Ethernet  port  of  the  phone
	(which has its own port, as well as a second 10/100  switched  port  for
	connecting  a  computer  to  the  network  without  requiring   multiple
	Ethernet  drops).   Like   StreamingStatistics,   PortInformation   will
	indicate an invalid port number up to a point (again, results vary,  but
	IDs over 32768 seem to  cause  the  problem  consistently).  Above  that
	limit, rather than crashing, the page is generated with what looks  like
	the contents of arbitrary memory locations. It  is  conceivable  that  a
	dedicated attacker could put this data to  some  use.  If  a  tool  were
	developed which could extract from  this,  for  instance,  the  phone\'s
	recent calls lists, then  it  would  be  possible  for  an  intruder  to
	monitor and map telephone usage within the  system.  This  is  certainly
	not as dangerous as #1, but it should clearly be fixed nonetheless.
	

	3. The telephones store all of their  network  information  locally  and
	most of it is accessible through the \"Settings\" button on  the  phone.
	By default, these settings are locked (as indicated by  a  padlock  icon
	when viewing them) however  the  key  to  unlock  the  settings  is  the
	constant string \'**#\' (entered from the phone\'s  keypad)  .  This  is
	not admin-configurable. Once unlocked, several fields can be  specified,
	including  the  TFTP  server  from  which   the   phone   receives   its
	configuration file. Among other things, this  file  provides  the  phone
	with the  list  of  CallManager  IPs  who  will  provide  the  telephony
	services. With one-time physical access to the phone, an attacker  could
	enter an alternate, malicious TFTP server which would provide the  phone
	with attacker-controlled CallManager IPs. In this fashion, the  attacker
	could  route  all  telephone  traffic  through  his  or   her   systems,
	presumably recording  it  or  altering  it  before  passing  it  to  the
	legitimate CallManager systems for transport. This modification  of  the
	phone\'s configuration is very unlikely to  be  noticed,  since  a  user
	never has to  interact  with  the  network  settings  menu  where  these
	changes were made.
	

	

	 References

	 ==========

	

	Cisco CallManager 3.0 Manual
	

	http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/3_0/adm

	in_gd/3_0_9/ccm3_bk.pdf 

	

	Cisco 7960 Administration Guide
	

	http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/ip_7960

	/admguide/7900adm2.pdf 

	

SOLUTION

	For a patch see:
	

	http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml

	

	

	 Short term Recommendations - For VoIP admins

	 ============================================

	

	X. Do not separate phone network from other networks as  an  attempt  at
	solution; any sense of security gained by separating the phone from  the
	computer network is illusory. Not only is it relatively  straightforward
	to obtain a phone\'s MAC address and then take the phone\'s  place  with
	a  PC/Laptop  network  card  with  re-assignable  MAC,  but  the  phones
	themselves offer a built-in  switch  for  connecting  computers  to  the
	phone\'s network -- clearly the networks cannot be cleanly separated.
	

	1. Use  internal  firewalls  to  kill  all  port  80  traffic  on  phone
	subnets/VLANs. This will at least block  *some*  attacks  in  the  short
	term, however it  may  not  totally  eliminate  the  problem  since,  as
	described above, it is relatively simple to get onto the  same  wire  as
	the phones -- depending on internal network architecture, it may be  the
	case that significant numbers of  phones  are  connected  with  hardware
	which does not support internal firewalling in this way.
	

	2. Internal firewalls could  also  be  set  up  to  prevent  TFTP  based
	attacks as described above, but this may  affect  other  services  which
	rely on TFTP, and is subject to the same restrictions mentioned in #1.
	

	3. It may be possible, depending on the level of activity on  the  phone
	network, to monitor for  unusual  TFTP  traffic  and  phone  resets.  It
	should never be the case that one IP  requests  the  configuration  file
	for a phone with a different IP, unless something  fishy  is  going  on.
	Likewise, clumsy attackers  experimenting  with  these  techniques  will
	likely be causing a higher-than-normal level of phone  resets,  since  a
	reset is  the  easiest  way  to  cause  the  phone  to  re-download  its
	configuration over TFTP.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH