AudioCodes VoIP Phones Insufficient Firmware Validation
Authored by Matthias Deeg, Moritz Abrell | Site syss.de AudioCodes VoIP Phones with firmware versions greater than or equal to 3.4.4.1000 have been found to have validation of firmware images that only consists of simple checksum checks for different firmware components. advisories | CVE-2023-22955 Change Mirror Download -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512Advisory ID: SYSS-2022-055Product: AudioCodes VoIP PhonesManufacturer: AudioCodes Ltd.Affected Version(s): Firmware Versions >= 3.4.4.1000Tested Version(s): Firmware Version 3.4.4.1000Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326)Risk Level: MediumSolution Status: OpenManufacturer Notification: 2022-11-14Solution Date: N.A.Public Disclosure: 2023-08-10CVE Reference: CVE-2023-22955Authors of Advisory: Matthias Deeg, SySS GmbH Moritz Abrell, SySS GmbH~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Overview:AudioCodes VoIP phones are modern desk phones which are used for theoperation in enterprise environments.The manufacturer describes the product as follows (see [1]):"The AudioCodes 400HD series of IP phones is a range of easy-to-use,feature-rich desktop devices for the service provider hosted services,enterprise IP telephony and contact center markets. Based on the sameadvanced, field-proven underlying technology as our other VoIP products,AudioCodes high quality IP phones enable systems integrators and endcustomers to build end-to-end VoIP solutions."Due to insufficient firmware validation, an attacker can storemalicious firmware on AudioCodes IP phones.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Vulnerability Details:By analyzing the firmware image and update mechanism of AudioCodes IPphones, it was identified that parsing and verification of the firmwareimage is done by the ELF executable "flasher" which is executed fromthe script "run_ramfs_for_upgrade.sh" located at the path"/home/ipphone/scripts/".When analyzing the software tool "flasher", SySS found out that thevalidation of firmware images only consists of simple checksum checks fordifferent firmware components.Thus, by knowing how to calculate and where to store the required checksumsfor the "flasher" tool, an attacker is able to store malicious firmware onAudioCodes IP phones.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Proof of Concept (PoC):An AudioCodes IP phone's firmware image file contains an image headerfollowed by different sections, e.g.: 1. Firmware image header 2. bootloader.img 3. rootfs.ext4 4. phone.img 5. section.map 6. flasher 7. release 8. end.sectionEach section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB"followed by a 4-byte section header size field ("0x60 0x00 0x00 x00")and other metadata like length fields and a checksum at the offset0x50. This checksum is calculated by adding up all bytes of the sectiondata starting at the section offset 0x60.As a proof of concept, a manipulated firmware image file was created inwhich an additional user with root privileges was added in the"rootfs.ext4" section. After recalculating the checksum and updatingthe section header with its checksum, the manipulated firmware imagecould be successfully uploaded and installed on an AudioCodes IP phone.To automate this task, a simple Python script has been developed todeal with AudioCodes IP phone firmware images.The following output exemplarily shows how a modified firmware imagefor the AudioCodes IP phone C450HD was updated with correct checksums:#> python3 audiocodes-firmware-tool.py -i AudioCodes_UCC450HD_3.4.6.604.1.img -uAudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022- ---Image infos===========Hardware: C450HDSoftware: UC_3.4.6.604.1Version: 25 (0x19)Number of sections: 4Header length: 112 (0x70)Checksum: 0x00000877Calculated checksum: 0x00000877Attribute: 7 (0x00000007)Date: 2021-12-13_09:07:38CE5: 0- ---Section name: bootloader.imgSection checksum: 0x0247D1A3Calculated checksum: 0x0247D1A3Data size (8-byte aligned): 423992 (0x67838)Data size : 423992 (0x67838)- ---Section name: rootfs.ext4Section checksum: 0x78EF3E3DCalculated checksum: 0x78EF3E6DData size (8-byte aligned): 134238208 (0x8005000)Data size : 134238208 (0x8005000)- ---[...][*] Saved updated firmware image to AudioCodes_UCC450HD_3.4.6.604.1.img.new~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution:Not yet fixed.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclosure Timeline:2022-11-10: Vulnerability discovered2022-11-14: Vulnerability reported to manufacturer2022-12-12: Vulnerability confirmed by AudioCodes Ltd.2023-01-19: AudioCodes Ltd. informs that a solution is planned in 20232023-07-13: AudioCodes Ltd. sets solution date to the end of 20232023-08-10: Public disclosure at BlackHat USA[4]2023-08-11: Public disclosure at https://blog.syss.com [5]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~References:[1] AudioCodes IP Phones Product Website https://www.audiocodes.com/solutions-products/products/ip-phones [2] SySS Security Advisory SYSS-2022-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [5] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Credits:This security vulnerability was found by Matthias Deeg and Moritz Abrellof SySS GmbH.E-Mail:[email protected]Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.ascKey Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DABE-Mail:[email protected]Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.ascKey Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer:The information provided in this security advisory is provided "as is"and without warranty of any kind. Details of this security advisory maybe updated in order to provide as accurate information as possible. Thelatest version of this security advisory is available on the SySS website.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Copyright:Creative Commons - Attribution (by) - Version 3.0URL: http://creativecommons.org/licenses/by/3.0/deed.en-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30ZUACgkQrgyb+PE0i1NVOxAAsQxeEAuUDwJYIx9/dmnE8TOyl+f9VKtxO7OMSCtsFcbhFTKQD1jm1lMlDKd0HAhWNWi5r87cf4tAUy8QD8NKrXCZljdUE93ZRmwWZHNmuTiyjCHzTHFr/qLGrcfjiaSZawaeaSUE8LSFrZhXiYoWe+ZHsebnm96/DkMryCJ6txbXFKQlKY/MtKSbiinmG6bcWGrlTJXO91OROnpmMioVDIW8YeGaoh87oaLlAsHTCBaKJgdndo3hi5QA2k0aRsbunJ2UyBAKA2OPwNO+FoHJ4mBvu9b+HZYEUyhtqZ898pjxJg52C7lXfcuiwpb4Chh7thVhvjogMnchV1BUSRxbigoeYHywp54YxLTX336wuu0mLYjdalnB0Abxejiz0ShqznYCkiKfsj+D7kh7DE+uwX5kVQGREFwu0gnJBQsibYgUCUplCM4Ybov7gHmz1QwRg0pZ4OZLw3bzZeVcXQ/PrCUGDPpILg6IVW5o6bweAnpMsa5v3HhWtN7VLYGq9FlhhejuCajfYW4NbURCBjNfaC1Bb3xEIEM0bPDZMIgl8uK8UZKtNazSYkgMLXo4psv8CwNnUVV1vnw76xvacn6B+UwpiTLNiNCuhuVcBXPp3j9VwiwzWjrsotL4Gl6ukPl08qS8Z1tGTBtTeWT5qJ1M+ne/9eQtzxgWH2Y3kBwko+U==wsHl-----END PGP SIGNATURE----- Source #ExploitsCVEs #exploit
Cybersecurity News & Education, №590k
AudioCodes VoIP Phones Insufficient Firmware Validation
Authored by Matthias Deeg, Moritz Abrell | Site syss.de AudioCodes VoIP Phones with firmware versions greater than or equal to 3.4.4.1000 have been found to have validation of firmware images that only consists of simple checksum checks for different firmware components.
advisories | CVE-2023-22955
Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512Advisory ID: SYSS-2022-055Product: AudioCodes VoIP PhonesManufacturer: AudioCodes Ltd.Affected Version(s): Firmware Versions >= 3.4.4.1000Tested Version(s): Firmware Version 3.4.4.1000Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326)Risk Level: MediumSolution Status: OpenManufacturer Notification: 2022-11-14Solution Date: N.A.Public Disclosure: 2023-08-10CVE Reference: CVE-2023-22955Authors of Advisory: Matthias Deeg, SySS GmbH Moritz Abrell, SySS GmbH~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Overview:AudioCodes VoIP phones are modern desk phones which are used for theoperation in enterprise environments.The manufacturer describes the product as follows (see [1]):"The AudioCodes 400HD series of IP phones is a range of easy-to-use,feature-rich desktop devices for the service provider hosted services,enterprise IP telephony and contact center markets. Based on the sameadvanced, field-proven underlying technology as our other VoIP products,AudioCodes high quality IP phones enable systems integrators and endcustomers to build end-to-end VoIP solutions."Due to insufficient firmware validation, an attacker can storemalicious firmware on AudioCodes IP phones.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Vulnerability Details:By analyzing the firmware image and update mechanism of AudioCodes IPphones, it was identified that parsing and verification of the firmwareimage is done by the ELF executable "flasher" which is executed fromthe script "run_ramfs_for_upgrade.sh" located at the path"/home/ipphone/scripts/".When analyzing the software tool "flasher", SySS found out that thevalidation of firmware images only consists of simple checksum checks fordifferent firmware components.Thus, by knowing how to calculate and where to store the required checksumsfor the "flasher" tool, an attacker is able to store malicious firmware onAudioCodes IP phones.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Proof of Concept (PoC):An AudioCodes IP phone's firmware image file contains an image headerfollowed by different sections, e.g.: 1. Firmware image header 2. bootloader.img 3. rootfs.ext4 4. phone.img 5. section.map 6. flasher 7. release 8. end.sectionEach section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB"followed by a 4-byte section header size field ("0x60 0x00 0x00 x00")and other metadata like length fields and a checksum at the offset0x50. This checksum is calculated by adding up all bytes of the sectiondata starting at the section offset 0x60.As a proof of concept, a manipulated firmware image file was created inwhich an additional user with root privileges was added in the"rootfs.ext4" section. After recalculating the checksum and updatingthe section header with its checksum, the manipulated firmware imagecould be successfully uploaded and installed on an AudioCodes IP phone.To automate this task, a simple Python script has been developed todeal with AudioCodes IP phone firmware images.The following output exemplarily shows how a modified firmware imagefor the AudioCodes IP phone C450HD was updated with correct checksums:#> python3 audiocodes-firmware-tool.py -i AudioCodes_UCC450HD_3.4.6.604.1.img -uAudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022- ---Image infos===========Hardware: C450HDSoftware: UC_3.4.6.604.1Version: 25 (0x19)Number of sections: 4Header length: 112 (0x70)Checksum: 0x00000877Calculated checksum: 0x00000877Attribute: 7 (0x00000007)Date: 2021-12-13_09:07:38CE5: 0- ---Section name: bootloader.imgSection checksum: 0x0247D1A3Calculated checksum: 0x0247D1A3Data size (8-byte aligned): 423992 (0x67838)Data size : 423992 (0x67838)- ---Section name: rootfs.ext4Section checksum: 0x78EF3E3DCalculated checksum: 0x78EF3E6DData size (8-byte aligned): 134238208 (0x8005000)Data size : 134238208 (0x8005000)- ---[...][*] Saved updated firmware image to AudioCodes_UCC450HD_3.4.6.604.1.img.new~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution:Not yet fixed.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclosure Timeline:2022-11-10: Vulnerability discovered2022-11-14: Vulnerability reported to manufacturer2022-12-12: Vulnerability confirmed by AudioCodes Ltd.2023-01-19: AudioCodes Ltd. informs that a solution is planned in 20232023-07-13: AudioCodes Ltd. sets solution date to the end of 20232023-08-10: Public disclosure at BlackHat USA[4]2023-08-11: Public disclosure at https://blog.syss.com [5]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~References:[1] AudioCodes IP Phones Product Website https://www.audiocodes.com/solutions-products/products/ip-phones [2] SySS Security Advisory SYSS-2022-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [5] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Credits:This security vulnerability was found by Matthias Deeg and Moritz Abrellof SySS GmbH.E-Mail:[email protected]Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.ascKey Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DABE-Mail:[email protected]Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.ascKey Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Disclaimer:The information provided in this security advisory is provided "as is"and without warranty of any kind. Details of this security advisory maybe updated in order to provide as accurate information as possible. Thelatest version of this security advisory is available on the SySS website.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Copyright:Creative Commons - Attribution (by) - Version 3.0URL: http://creativecommons.org/licenses/by/3.0/deed.en-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30ZUACgkQrgyb+PE0i1NVOxAAsQxeEAuUDwJYIx9/dmnE8TOyl+f9VKtxO7OMSCtsFcbhFTKQD1jm1lMlDKd0HAhWNWi5r87cf4tAUy8QD8NKrXCZljdUE93ZRmwWZHNmuTiyjCHzTHFr/qLGrcfjiaSZawaeaSUE8LSFrZhXiYoWe+ZHsebnm96/DkMryCJ6txbXFKQlKY/MtKSbiinmG6bcWGrlTJXO91OROnpmMioVDIW8YeGaoh87oaLlAsHTCBaKJgdndo3hi5QA2k0aRsbunJ2UyBAKA2OPwNO+FoHJ4mBvu9b+HZYEUyhtqZ898pjxJg52C7lXfcuiwpb4Chh7thVhvjogMnchV1BUSRxbigoeYHywp54YxLTX336wuu0mLYjdalnB0Abxejiz0ShqznYCkiKfsj+D7kh7DE+uwX5kVQGREFwu0gnJBQsibYgUCUplCM4Ybov7gHmz1QwRg0pZ4OZLw3bzZeVcXQ/PrCUGDPpILg6IVW5o6bweAnpMsa5v3HhWtN7VLYGq9FlhhejuCajfYW4NbURCBjNfaC1Bb3xEIEM0bPDZMIgl8uK8UZKtNazSYkgMLXo4psv8CwNnUVV1vnw76xvacn6B+UwpiTLNiNCuhuVcBXPp3j9VwiwzWjrsotL4Gl6ukPl08qS8Z1tGTBtTeWT5qJ1M+ne/9eQtzxgWH2Y3kBwko+U==wsHl-----END PGP SIGNATURE-----
Source
#ExploitsCVEs #exploit