Aastra IP Phone Web Interface Data Diclosure Vulnerability

vendor:

IP Phone

by:

Pr0T3cT10n

7.5

CVSS

HIGH

Data Disclosure

200

CWE

Product Name: IP Phone

Affected Version From: 9480i

Affected Version To: 9480i

Patch Exists: NO

Related CWE: None

CPE: a:aastra:ip_phone

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2011

Aastra IP Phone Web Interface Data Diclosure Vulnerability

The data disclosure vulnerability found in the section of 'Global SIP' / 'Line 1' of 'Aastra IP Phone' software. The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected. To exploit the vulnerability and dicluse the data we need to access to the 'Aastra IP Phone' by this url 'http://address/globalSIPsettings.html'. Or to the following address 'http://address/SIPsettingsLine1.html', we have Caller ID, Authentication Name, and Password.. Then we can see in the source code by the field 'password' and then we see the magic! thats is the password for the username by the sip server. Now if we already have the sip server, username a password we can use it to connect to the sip server and make calls.

Mitigation:

Ensure that the web interface of the Aastra IP Phone is password protected and that only authorized users are allowed to access it.

Source

Exploit-DB raw data:

#     _             ____  __            __    ___
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# Aastra IP Phone is vulnerable for a data disclosure, the following will explain you how to read the password..
# The vulnerabilitu allows an unprivileged attacker to read the sip details including password.
# The vulnerablities are in:
# * DATA DISCLOSURE - Password disclosure: http://127.0.0.1/globalSIPsettings.html
# * DATA DISCLOSURE - Password disclosure: http://127.0.0.1/SIPsettingsLine1.html
#-----------------------------------
# Vulnerability Title: Aastra IP Phone Web Interface Data Diclosure Vulnerability
# Date: 08/06/2011
# Author: Pr0T3cT10n
# Website Link: http://www.aastra.com
# Tested on Version: 9480i
# ISRAEL
###
###### NOTE: The aastra ip phone software is also vulnerability for unauthorized person to access the web interface.
###### It happen because there is no password thats protects the interface.
## DATA DISCLOSURE:
# The data disclosure vulnerability found in the section of 'Global SIP' / 'Line 1' of 'Aastra IP Phone' software.
# The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected.
# To exploit the vulnerability and dicluse the data we need to access to the 'Aastra IP Phone' by this url 'http://address/globalSIPsettings.html'.
# Or to the following address 'http://address/SIPsettingsLine1.html', we have Caller ID, Authentication Name,  and Password..
# Then we can see in the source code by the field 'password' and then we see the magic! thats is the password for the username by the sip server.
# Now if we already have the sip server, username and password so we can connect to it with any softphone and make our calls.
##
# Yours, Pr0T3cT10n..