MX60 VoIP Voice Gateway permission Escalation Vulnerability

Tested by: mx60 VoIP Voice Gateway Bug: getting the administrator password to log on to control the entire gateway. Impact scope: no device test is available for users with MX and operators, haha MX60 introduction Figure 1 Brief Description: MX60 is a carrier-level Voice Gateway. The permission settings for managing users are divided into two levels: Administrator and operator. The specific permission is granted to me (figure 2 ). However, the permissions to the operator are not set in place, so we can gain control of the entire gateway. Figure 2 process: under normal circumstances, neither www.2cto.com nor www.2cto.com can log on as an operator, nor can it be used to change the password (without changing permissions, it also makes sense to log on ). But this is different for us. One day, I received a notification asking me to manage the company's voice platform and settings, but I didn't tell me anything about the foundation. I didn't even know anything about the management password. In my heart, that's really unpleasant. The voice platform is said to have been used before and will never be used at any time. I don't know how the lines are connected. I had to look for du Niang and GG. This is really rare. After I flipped through XXOO, I finally got a description document. I wiped it. It seems a little too far away. Let's get the result directly. For details about the process, see the illustration. In this way, everything is done. You can only write it like this. Let's take a look.

Author: Media Security China (wW. w. SiteDirSec. CoM) Management Group