exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

unidenWeak.txt

unidenWeak.txt
Posted Feb 25, 2006
Authored by PAgVac

The Uniden UIP1868P VoIP phone/gateway comes with a default password of admin without any login necessary.

tags | advisory
SHA-256 | a78386fb85cd6e78792518d85ed37f59213f1019b4262f6d2924ae410421771e

unidenWeak.txt

Change Mirror Download
Title: Uniden UIP1868P (VoIP phone/gateway) default easy-to-guess
password vulnerability

Author: pagvac (Adrian Pastor)

Date found: January 2006

Vendor contacted: Yes (no response received)

Description:

By default the web admin interface uses a password with a value equals
to "admin" (without quotation marks). Also, there is *no* username
required! *Only* password is required! This means that the security of
the device ultimately relies on knowing one string of characters,
rather than two (username/password).

The interesting thing about this device is that it's a VoIP (SIP
based) phone which can be configured as a client as well as a
gateway/router. There is sensitive information which you can obtain
from the admin interface such as the last 10 incoming/outgoing
phonecalls and the IP address/port of the SIP server which the gateway
connects to.

Some useful features include voicemail service and the possibility to
use the gateway from a wireless phone. It supports up to 10 wireless
handsets so you can make your VoIP phonecalls from anywhere in your
room. I haven't actually tested how feasible it would be for an
attacker who could pick up your wifi signal (your neighbor for
instance) to connect to the UIP1868P gateway and make phonecalls of
the victim's expense.

Let's consider the following scenario:

- user owns a UIP1868P VoIP gateway
- user uses cordless wifi phone which makes phonecalls through the UIP1868P
- user's wifi LAN *isn't* protected with encryption (WEP or WPA for instance)

Some questions to consider are:

- assuming that an attacker can detect the radio waves, could he/she
make phonecalls on the victim's expense using the same wifi cordless
phone model?
- could the attacker do the same thing by using a software client
which would emulate the wifi cordless phone?


The VoIP service for this device is provided by Packet8
(www.packet8.net), which requires users to have a registered account.

The device itself is manufactured by Uniden (www.uniden.com).

I considered the possibility of obtaining the victim's Uniden account
details by saving the configuration file from the web interface of the
UIP1868P gateway and then connect to the server (the IP address/port
is provided by the web interface as I said before) using the "stolen"
credentials. However, I didn't find any "save config file" feature
available on the admin interface while performing my tests.

Once admin access to this VoIP phone/gateway is obtained, the device
becomes vulnerable to the same attacks as regular routers would after
being compromised:

- placing internal hosts (internal IP address can be obtained from
DHCP table) on the DMZ, thus exposing them to the Internet
- setting up port-forwarding to internal hosts
- shutting down/resetting the device (DoS attack)

Any of the first two attacks would make portscanning and exploitation
against internal hosts possible. However, both of these attacks only
apply in cases in which the UIP1868P is being used as a gateway
(Internet router)


References:

http://www.ikwt.com/projects/Uniden.UIP1868P.txt
http://www.google.com/search?q=UIP1868P&num=100
http://www.packet8.net/about/UIP1868PUIguide_final.pdf
http://www.packet8.net/support/faqs/docs/Router_config_guide_final.pdf
http://www.packet8.net/about/UIP1868P_user_manual052405.pdf
http://www.uniden.com/pdf/UIP1868Pug.pdf
http://www.smarthome.com/manuals/9624p_User_Interface_Guide.pdf
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close