[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones
From: Sysdream Labs <labs@xxxxxxxxxxxx>
Date: Fri, 11 Jan 2019 10:11:23 +0100

# [CVE-2018-10093] Remote command injection vulnerability in AudioCode
IP phones

## Description

The AudioCodes 400HD series of IP phones consists in a range of
easy-to-use, feature-rich desktop devices for the service provider
hosted services, enterprise IP telephony and contact center markets.

The CGI scripts used on the 420HD phone (web interface) do not filter
user inputs correctly. Consequently, an authenticated attacker could
inject arbitrary commands (Remote Code Execution) and take full control
over the device. For example, it is possible to intercept live
communications.

## Vulnerability records


**CVE ID**: CVE-2018-10093

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-78

**CVSS Base Score**: 7.2

**CVSS Vector String**:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C


## Details

The script `command.cgi`, used for system monitoring and diagnostics, is
vulnerable to a remote command execution attack.

Visiting the `/command.cgi?cat%20/etc/passwd` gives the following result:

```
admin:$1$FZ6rOGS1$54ZXSmjh7nod.kXFRyLx70:0:0:root:/:/bin/sh
```

Note that the vulnerable page is only available to authenticated users
(in possession of the admin configuration password).

## Timeline (dd/mm/yyyy)

* 06/03/2018 : Initial discovery
* 17/04/2018 : Vendor contact
* 17/05/2018 : Vendor technical team aknowledgment
* 07/01/2019 : Vendor recommendation to mitigate the issue
* 10/01/2019 : Public disclosure

## Fixes

AudioCodes recommends to change the default admin credentials to
mitigate the issue.

## Affected versions

Theses vulnerabilities have only been tested on the 420HD phone
(firmware version: 2.2.12.126).

## Credits

a.baube at sysdream dot com


-- 
SYSDREAM Labs <labs@xxxxxxxxxxxx>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] [CVE-2018-10091] Stored XSS vulnerabilities in AudioCode IP phones
Next by Date: [FD] System Down: A systemd-journald exploit
Previous by thread: [FD] [CVE-2018-10091] Stored XSS vulnerabilities in AudioCode IP phones
Next by thread: [FD] System Down: A systemd-journald exploit
Index(es):
- Date
- Thread