29C3 - Version 1.9


Ang Cui
Michael Costello
Day Day 1 - 2012-12-27
Room Saal 1
Start time 23:00
Duration 01:00
ID 5400
Event type Lecture
Language used for presentation English

Hacking Cisco Phones

Just because you are paranoid doesn't mean your phone isn't listening to everything you say

We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.

We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely.

Cisco PSIRT has assigned CVE Identifier CVE-2012-5445 to this issue.

The issue is being disclosed via a Release Note Enclosure per the Cisco Vulnerability Policy. The Vulnerability Policy can be found at the following location: http://www.cisco.com/en/US/products/productssecurityvulnerability_policy.html

I have included the contents of the Release Note Enclosure (RNE) that will be available via the Cisco Bug Search tool bellow.

Cisco PSIRT appreciates you reporting this issue in a responsible manner and working with us to remediate the issue. We look forward to your next report.

<Begin RNE Text>

Symptoms: Cisco Unified IP Phone 7900 series devices also referred to as Cisco TNP Phones contain an input validation vulnerability. A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.

The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected: Cisco Unified IP Phone 7975G Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7965G Cisco Unified IP Phone 7962G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7945G Cisco Unified IP Phone 7942G Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7931G Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only): Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7906

Refer to the following link to determine what product upgrade and substitution options are available: http://www.cisco.com/en/US/products/hw/phones/ps379/prodeolnotices_list.html

Conditions: Cisco Unified IP Phones within the 7900 Series running a version of Cisco IP Phone software prior to 9.3.1-ES10 are affected. The fixed software release is expected to be available for customers mid-to-late November 2012.

Workaround: Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.

Further Problem Description: This issue was reported to Cisco PSIRT by Ang Cui of Columbia University. Cisco PSIRT would like to thank Ang and his staff for working with Cisco to resolve this issue.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2012-5445 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/productssecurityvulnerability_policy.html

<End RNE Text>

Archived page - Impressum/Datenschutz