Condorlab

Grandstream HT800 series Provisioning Command Injection


Advisory IDRSN-SIP-1661



Vulnerability Information

Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message.


Technical Information

The HT800 series is vulnerable to command injection via the configuration file when P240 is set to 1 and P2 (password) contains shell metacharacters. For example: P2=telnetd%24{IFS}-l/bin/sh.

An unauthenticated remote attacker could trigger this injection via a x-gs-ucm-url SIP message. We created a proof of concept called sip_provision_exploit.py that starts a root bindshell on port 23.


Solutions

The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team Condor-Labs.com is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit www.redshiftnetworks.com


External Resources

https://www.tenable.com/security/research/tra-2020-47


Common Vulnerabilities and Exposures (CVE)

https://nvd.nist.gov/vuln/detail/CVE-2020-5760