UTstarcom F1000 VoIP Wifi phone multiple vulnerabilities

[Shawn Merdinger <shawnmer () gmail com>]

I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
<https://www.cmpevents.com/CSI32/a.asp?option=G&V=3&id=406438>

Thanks,
Shawn Merdinger
===============================================================

VENDOR:
UTStarcom

VENDOR NOTIFIED:
27 June, 2005 via sales () utstarcom com

VENDOR RESPONSE:
None

PRODUCT:
UTStarcom F1000 VOIP WIFI Phone
http://www.utstar.com/Solutions/Handsets/WiFi/

SOFTWARE VERSION:
s2.0
VxWorks (for Hornet VoWifi, ARM946ES (LE)
Factory Firmware) version 5.5.1.
Kernel: WIND version 2.6.
Made on Apr 5 2005, 14:49:39.

A.  VULNERABILITY TITLE:
UTStarcom F1000 VoIP Wifi phone SNMP daemon has default public read
credentials and the daemon cannot be disabled

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
UTstarcom F1000 SNMP daemon default public credentials allows an
attacker with access to the phone's SNMP daemon to read the phone's
SNMP configuration. This can lead to sensitive information disclosure.
In addition, the daemon's read/write credentials cannot be changed,
nor can the daemon be disabled via the phone's physical interface
(i.e. via keypad input). During testing, the SNMP daemon appeared
consistently die when connecting via Snmpwalk, requiring rebooting the
phone in order to restore SNMP service.

B. VULNERABILITY TITLE:
UTstarcom F1000 VoIP Wifi Phone telnet server has known default
user/password credentials

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The phone's operating system is Wind River's Vxworks. Default
credentials for this OS are publically known to be target/password.

By default, the telnet deamon is listening on the phone (TCP port 23)
providing WIFI network access to the phone's OS. Attackers can telnet
to the phone and gain access to the phone's Vxworks OS using the known
default credentials.

Impact is full access to the Vxworks OS, including debugging, direct
memory dumping/injection, read/write device, user and network
configuration files, enable/disable/restart services, remote reboot. 
For a workaround, the default login/password can be changed.

C. VULNERABILITY TITLE:
UTstarcom F1000 VoIP Wifi Phone rlogin (TCP/513) unauthenticated access

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The phone's rlogin port TCP/513 is listening by default and requires
no authentication.  An attacker connecting to the phone via
telnet/netcat is dropped into a shell without any login.  The shell
provides an attacker full access to the Vxworks OS, including
debugging, direct memory dumping/injection, read/write device, user
and network configuration files, enable/disable/restart services,
remote reboot.

There appears to be no workaround as neither the service can be
disabled, nor can authentication to rlogin be enabled.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/