Aastra IP telephone encrypted .tuz configuration file leakage ------------------------------------------------------------- Affected products ================= Aastra 6753i IP Telephone Firmware Version 3.2.2.56 Firmware Release Code SIP Boot Version 2.5.2.1010 Background ========== "The 6753i from Aastra offers powerful features and flexibility in a standards based, carrier-grade basic level IP telephone. With a sleek and elegant design and 3 line LCD display, the 6753i is fully interoperable with leading IP Telephony platforms, offering advanced XML capability to access custom applications and support for up to 9 calls simultaneously. Part of the Aastra family of IP telephones, the 6753i is ideally suited for light to regular telephone requirements." Description =========== Aastra downloads its configuration files over TFTP on every reboot. Since the configuration files often contain SIP account usernames and passwords they are typically offered only in the encrypted .tuz format. The .tuz format has a simple header and 3DES encrypted payload: Offset | Length | Comment ----------------------------------------------------------------------------- 0 | 16 | Always 55 42 43 7f 80 f8 5c 98 0f fc af 26 9e da 16 8d 16 | 1 | A byte that indicates how many padding bytes are in the | | last 3DES block. The padding consists of zeroes. 17 | 16 | 3DES encrypted string "Tuzo v1.3 rev1 " 33 | 8*N | 3DES encrypted payload Aastra uses a slightly modified (no initial or final permutations) 3DES algorithm in ECB mode. Typically configuration files are encrypted using the same key. This means that when we compare the encrypted .tuz files from two similarly configured phones we can see where the differences are in the payload. Suppose we have two users, "John Doe" and "Jane Doe", and that the name happens to be aligned exactly to the 64-bit 3DES block. We can now observe that the ciphertext differs only by 64 bits: ... 0007450 7c ce ff 07 05 51 9f b7 0007460 19 40 e0 b1 a0 f4 13 78 -0007470 83 f2 14 f3 8c 4d cb c6 +0007470 6d 57 f6 74 8c fd 4d 39 0007520 c5 34 0e 2a 3b 6b da 1c 0007530 5f 69 fe c3 b8 0f 37 0a ... If we copy this block from John's encrypted configuration file to Jane's configuration file then Jane's phone will suddenly show John's name in its LCD display, SIP traffic and HTTP interface. Now it gets interesting: We can actually copy any 64-bit block to the offset where the name of the user is shown and the phone will happily decrypt it for us! Exploit ======= Available on request. Has decrypted a 4605-byte configuration file in 9 hours (each reboot gives you only 8 bytes and rebooting takes around 60 seconds). When you know the offset of the admin password you can selectively decrypt only that and attack similarly configured phones without having to decrypt complete configuration file. Timeline ======== 2012-02-01 Discovered the vulnerability while adjusting firewall rules to let the phones access TFTP. 2012-02-02 Contacted Aastra via their contact box: http://www.aastra.fi/Yhteydenottolomake.htm 2012-02-03 Contacted Aastra via trixbox forum: http://liveweb.archive.org/http://fonality.com/trixbox/forums/vendor-forums-certified/aastra-endpoints/security-contact-aastra 2012-02-03 Received confirmation from Aastra that the information has been forwarded to the head of engineering. 2012-04-25 Contacted Aastra informed them that details will be disclosed in 2013.