Auerswald VoIP firmware identified with multiple backdoors allowing privilege escalation

One of Auerwalds widely used products exposes two backdoor passwords that will allow threat actors to escalate privileges

30-Dec-2021

3 min read

Auerswald, the German telecommunications hardware manufacturer for voice over Internet Protocol (VoIP), was detected with multiple backdoors. A penetration testing routine carried out by RedTeam revealed two backdoor passwords that allowed attackers with access to the management application to take complete administrative control over the device.

The process begins with downloading the firmware image for COMpact 5500, version 7.8A, from Auerswald's support website. The reverse engineering tool Ghidra is used for decompilation; the analysis revealed a "sub-admin" default user.

ghidra_search_sub_admin_hue090820d0b06928997a537458d5f76ca_21563_640x0_resize_box_2

A certain username was compared to the string "Schandelah." Researchers found this suspicious given that Schandelah is the name of a small village in Northern Germany where Auerswald produces their products.

iVar5 = strcmp((char *)username,"Schandelah");
if (iVar5 == 0) {
  FUN_00287a84(0,&local_94);
  if (local_600 == (undefined4 *)0x0) {
    [...]
  }
  else {
    iVar5 = strcmp((char *)local_600,(char *)&local_94);
    if (iVar5 == 0) {
      [...]
      goto LAB_00015954;
    }
  }
}

For the username Schandelah, a wrapper function FUN_00287a84 references the variable local_94. While examing other parameters where local_600 is used as a password, local_94 was the password for Schandelah. The password was constructed using the following algorithm

Retrieve the serial number of the PBX
Retrieve the current date as a string
Calculate the MD5 hash of serial number + “r2d2” + current date (as DD.MM.YYYY)
Return the first eight characters of the calculated hash

The backdoor password was seven characters of MD5 hash; after calculating the password, researchers could log in successfully.

$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
1432d89

"Equipped with this password, we then could authenticate successfully. After logging in, the web interface showed a special service page, which allowed, among other functions, to reset the administrator password."

While analyzing CVE-2021-40856, researchers came across CVE-2021-40857 that enables users with limited access to escalate privileges to sub-admin, an attacker can configure the PBX at this level.

Due to severe complications upon exploitation, backdoor passwords are rated as high. Auerswald immediately responded to the report given by RedTeam and published an Advisory in December. The only workaround available is to disable or restrict access to the web-based management interface completely; hence users are advised to upgrade to the newest version as soon as possible.