<<< Date Index >>>     <<< Thread Index >>>

Verizon Voicewing and Linksys PAP2-VN



Product: Verizon voicewing combined with Linksys PAP2-VN
Reported by: Haavar Valeur
Status: Vendor unwilling to address the problem
Reported: Mar 15, 2006


I found a way it is possible to make and receive calls from other Verizon 
accounts.

The problem is that Verizon publishes encrypted configuration files containing 
the username and password. These files are published through tftp and http, and 
are publicly readable. A vulnerability is created because the PAP2-VN adapter 
trusts the web server to give it the correct file. The PAP2 adapter accepts and 
decrypts configuration files for other accounts if they are available at the 
URI where the adapter expects to find it's configuration file.

The following steps can be made by anyone with a PAP2-VN adapter to access 
random users accounts:
1) Create a subnet that you are able to isolate from the internet
2) Block all TFTP access from the subnet to the Internet. This will make the 
adapter failover to http (I did not bother to set up a tftp server). 
3) Redirect all HTTP request made from the subnet to a web server you control 
(possible with e.g. iptables)
4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to 
get the config file.
5) Look in the web server access log or tcpdump to find what URL the PAP2 tries 
to access on the web server
6) The URL should contain the MAC address of the PAP2. Try finding another 
valid mac by changing one of the least significant digits, and download the 
file from verizons web server.
7) Rename the file you downloaded to the filename the PAP2 tried to access and 
put it on the web server so the PAP2 will download this file.
8) The PAP2 will download and decrypt this file containing the account 
information of the other user and connect to the SIP server.
9) Now you can make and receive calls from another account

This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but 
could apply to other vendors using this adapter.