Trustwave has revealed a remotely exploitable vulnerability in the Telnet administrative interface of numerous Chinese-made DblTek GSM VoIP telephony boxes.
According to Dr Neil Kettle and John Anderson, both of whom are principle consultants with SpiderLabs at Trustwave, the vulnerability permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in the authentication procedure.
The Telnet interface of the GoIP is documented as providing information for users of the device through the use of logins "ctlcmd" and "limitsh".
Both of these logins provide limited information about the device, and are accessed using the user-configured administrator password. However, an additional undocumented user, namely "dbladm" is present which provides root level shell access on the device.
Instead of a traditional password, this account is protected by a proprietary challenge-response authentication scheme.
Confirmed affected versions are, GoIP 1, 4, 8, 16 and 32 (which are essentially the same thing but with 1 and 32 lines respectively).
The researchers said it is hard to confirm exact numbers, however said: "we're probably talking hundreds of thousands of affected devices here, especially as they're a big Shenzhen-based mass producer."
Trustwave confirmed to SC Media UK: “Most of their other devices they manufacture seem to have the same login binary in their firmware images, but we haven't been able to confirm this for sure. We're reasonably confident it will be a consistent feature across their product ranges.”
Explaining the vulnerability, the researchers said: “The simplest form of challenge-response protocol is that of a password authentication scheme, in this case, the challenge is asking for the password and the only valid response is the correct password.”
They added: “However, more advanced challenge-response schemes attempt to obscure the secret (password in the above) in order to guard against network interception and replay attacks. The DblTek device in question implements a proprietary challenge-response scheme.”
Investigation has shown this scheme to be fundamentally flawed in that it is not necessary for a remote user to possess knowledge of any secret besides the challenge itself and knowledge of the protocol/computation.
The issue was reported to DblTek, and a patched version of the firmware was produced and distributed on 22/12/2016. Verification of the patched version reveals that the challenge response mechanism is still present in the latest version, albeit a little more complex.
Trustwave said: “It seems DblTek engineers did not understand that the issue is the presence of a flawed challenge response mechanism and not the difficulty of reverse engineering it.”The firm concluded: “The main differences between the latest challenge response mechanism and the older variant is the level of complexity it employs: a simplistic MD5 with a linear equation changed to several ‘round' functions mixed with a modified version of the MD5 hash algorithm.”
Trustwave provided a timeline of events to SC:
Revision History from the disclosure:
10/13/2016 - Attempt to contact vendor
11/01/2016 - Attempt to contact vendor
11/14/2016 - Attempt to contact vendor
12/02/2016 - Attempt to contact vendor
12/05/2016 - Finding disclosed to vendor
12/21/2016 - Vendor releases firmware update (GST1610-1.01-58.pkg)
12/28/2016 - Vendor contacted about firmware not fully addressing vulnerability
01/12/2017 - Attempt to recieve update from vendor
01/24/2017 - Attempt to recieve update from vendor
01/27/2017 - Vendor non-responsive for 30 days