ID

VAR-201301-0564

TITLE

Aastra 6753i '.tug Profile Information Disclosure Vulnerability

DESCRIPTION

The Aastra 6753i is a versatile IP phone. Each time the Aastra 6753i reboots, it downloads the configuration file .tuz from TFTP and contains the encrypted SIP account username and password. The Aastra 6753i IP Phone uses a slightly modified 3DES algorithm in ECB mode, allowing an attacker to modify the phone settings by modifying the configuration file. Anacrypt is prone to an information-disclosure vulnerability. Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks. Versions prior to Anacrypt 1.04 are vulnerable. Note: This issue was previously titled 'Aastra 6753i '.tuz' Configuraton File Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected. Aastra IP telephone encrypted .tuz configuration file leakage ------------------------------------------------------------- Affected products ================= Aastra 6753i IP Telephone Firmware Version 3.2.2.56 Firmware Release Code SIP Boot Version 2.5.2.1010 Background ========== "The 6753i from Aastra offers powerful features and flexibility in a standards based, carrier-grade basic level IP telephone. With a sleek and elegant design and 3 line LCD display, the 6753i is fully interoperable with leading IP Telephony platforms, offering advanced XML capability to access custom applications and support for up to 9 calls simultaneously. Part of the Aastra family of IP telephones, the 6753i is ideally suited for light to regular telephone requirements." Description =========== Aastra downloads its configuration files over TFTP on every reboot. The .tuz format has a simple header and 3DES encrypted payload: Offset | Length | Comment ----------------------------------------------------------------------------- 0 | 16 | Always 55 42 43 7f 80 f8 5c 98 0f fc af 26 9e da 16 8d 16 | 1 | A byte that indicates how many padding bytes are in the | | last 3DES block. The padding consists of zeroes. Typically configuration files are encrypted using the same key. This means that when we compare the encrypted .tuz files from two similarly configured phones we can see where the differences are in the payload. Suppose we have two users, "John Doe" and "Jane Doe", and that the name happens to be aligned exactly to the 64-bit 3DES block. We can now observe that the ciphertext differs only by 64 bits: ... 0007450 7c ce ff 07 05 51 9f b7 0007460 19 40 e0 b1 a0 f4 13 78 -0007470 83 f2 14 f3 8c 4d cb c6 +0007470 6d 57 f6 74 8c fd 4d 39 0007520 c5 34 0e 2a 3b 6b da 1c 0007530 5f 69 fe c3 b8 0f 37 0a ... If we copy this block from John's encrypted configuration file to Jane's configuration file then Jane's phone will suddenly show John's name in its LCD display, SIP traffic and HTTP interface. Now it gets interesting: We can actually copy any 64-bit block to the offset where the name of the user is shown and the phone will happily decrypt it for us! Exploit ======= Available on request. Has decrypted a 4605-byte configuration file in 9 hours (each reboot gives you only 8 bytes and rebooting takes around 60 seconds). When you know the offset of the admin password you can selectively decrypt only that and attack similarly configured phones without having to decrypt complete configuration file. Timeline ======== 2012-02-01 Discovered the vulnerability while adjusting firewall rules to let the phones access TFTP. 2012-02-02 Contacted Aastra via their contact box: http://www.aastra.fi/Yhteydenottolomake.htm 2012-02-03 Contacted Aastra via trixbox forum: http://liveweb.archive.org/http://fonality.com/trixbox/forums/vendor-forums-certified/aastra-endpoints/security-contact-aastra 2012-02-03 Received confirmation from Aastra that the information has been forwarded to the head of engineering. 2012-04-25 Contacted Aastra informed them that details will be disclosed in 2013

IOT TAXONOMY

AFFECTED PRODUCTS

THREAT TYPE

remote

TYPE

information disclosure

EXTERNAL IDS

REFERENCES

CREDITS

Timo Juhani Lindfors

SOURCES

LAST UPDATE DATE

2022-05-17T02:02:35.628000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE