I disclosed today the following vulnerabilities at the 32nd CSI conference in Washington, D.C. Thanks, Shawn Merdinger =============================================================== VENDOR: Hitachi PRODUCT: Hitachi IP5000 VOIP WIFI Phone http://www.wirelessip5000.com/ SOFTWARE VERSION: v1.5.6 VENDOR NOTIFIED: 28 June, 2005 VENDOR RESPONSE: None. However, issues addressed at http://www.hitachi-cable.co.jp/ICSFiles/infosystem/security/76659792_e.pdf A. VULNERABILITY TITLE: Hitachi IP5000 VOIP WIFI Phone handset hardcoded administrator password VULNERABILITY DETAILS, IMPACT AND WORKAROUND: 1. The Hitachi VOIP WIFI phone handset has a default administrator password of "0000" that the user enters in order to access administrator functions when programming the handset via the physical keys. This password appears to be hardcoded and presents a physical vulnerability. If an attacker can physically access the phone (borrow, phone rental scenario, theft, etc.) the attacker can derive sensitive information and modify the phone's configuration. There appears to be no workaround for this vulnerability. B. VULNERABILITY TITLE: Hitachi IP5000 VOIP WIFI phone HTTP server vulnerabilities VULNERABILITY DETAILS, IMPACT AND WORKAROUND: The HTTP server (port TCP/8080) on the Hitachi IP5000 phone has two security issues: 1. Improper information disclosure: The HTTP daemon default index page discloses what the device is (Hitachi IP5000 phone), the phone software versions, phone MAC address, IP address and routing information. An attacker can use this to discover quickly what the device is and see if there are any associated vulnerabilities. Also, the disclosure of the phone's routing/gateway information can provide an attacker with information for a DoS attack. An attacker does not need to authenticate to the phone to obtain this information from the index page. Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface. 2. Web server default configuration does not require credentials to authenticate. This allows an attacker to access any of the various configuration pages of the phone, changing the phone configuration, etc. Workaround is to disable the HTTP server via the phone's physical interface or via the HTTP interface. The phone user may also set a password via the HTTP interface. Note that the password set page does not require the previous password (an attacker could lock out a user if the initial password is not set), nor does it require the new password to be entered twice (to avoid fat-fingering). C. VULNERABILITY TITLE: Hitachi IP5000 VOIP WIFI Phone SNMP daemon vulnerabilities VULNERABILITY DETAILS, IMPACT AND WORKAROUND: 1. The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows read/write access to the phone's SNMP configuration using any credentials. An attacker can use this vulnerability to access the phone's SNMP configuration, potentially reading/writing/erasing sensitive information. There seems to be no workaround as it appears that the SNMP daemon can neither be disabled, nor can the SNMP daemon read/write strings be modified by the phone user. D. VULNERABILITY TITLE: Hitachi IP5000 VOIP WIFI Phone undocumented port TCP/3390 Unidata Shell VULNERABILITY DETAILS, IMPACT AND WORKAROUND: 1. The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that provides an unauthenticated attacker access to the Unidata Shell created upon connection. This may allow an attacker to access sensitive information and potentially impact the phone's operations in a DoS. As a workaround, there appears to be no means to disable this port and service, so no workaroud appears possible. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/