|
|
|
|
| |
F1000 - "The residential Wi-Fi handset is a revolutionary device that expands the reach of VoIP communications. It provides consumers a new cost effective way to communicate, with great features such as 3-way Calling, Call Waiting, Call Transfer and many popular features."
Multiple security vulnerabilities have been discovered discovered in UTStartcom's Wifi VoIP solution. |
| |
Credit:
The information has been provided by Shawn Merdinger.
|
| |
Vulnerable Systems:
* UTStarcom F1000 VOIP WIFI Phone
* Factory Firmware version 5.5.1. (Kernel: WIND version 2.6. Made on Apr 5 2005, 14:49:39)
Vendor Status:
Vendor notified on 27 June, 2005 via sales@utstarcom.com
UTStarcom F1000 VoIP Wifi phone SNMP daemon:
UTStarcom F1000 VoIP Wifi phone SNMP daemon has default public read credentials and the daemon cannot be disabled. UTstarcom F1000 SNMP daemon default public credentials allows an attacker with access to the phone's SNMP daemon to read the phone's SNMP configuration. This can lead to sensitive information disclosure. In addition, the daemon's read/write credentials cannot be changed, nor can the daemon be disabled via the phone's physical interface (i.e. via keypad input). During testing, the SNMP daemon appeared consistently die when connecting via Snmpwalk, requiring rebooting the phone in order to restore SNMP service.
UTstarcom F1000 VoIP Wifi Phone telnet server:
UTstarcom F1000 VoIP Wifi Phone telnet server has known default user/password credentials. The phone's operating system is Wind River's Vxworks. Default credentials for this OS are publically known to be target/password.
By default, the telnet daemon is listening on the phone (TCP port 23) providing WIFI network access to the phone's OS. Attackers can telnet to the phone and gain access to the phone's Vxworks OS using the known default credentials.
Impact is full access to the Vxworks OS, including debugging, direct memory dumping/injection, read/write device, user and network configuration files, enable/disable/restart services, remote reboot. For a workaround, the default login/password can be changed.
UTstarcom F1000 VoIP Wifi Phone rlogin (TCP/513) unauthenticated access:
The phone's rlogin port TCP/513 is listening by default and requires no authentication. An attacker connecting to the phone via telnet/netcat is dropped into a shell without any login. The shell provides an attacker full access to the Vxworks OS, including debugging, direct memory dumping/injection, read/write device, user and network configuration files, enable/disable/restart services, remote reboot.
There appears to be no workaround as neither the service can be disabled, nor can authentication to rlogin be enabled.
|
|
|
|
|
|
|
|
|
|
