Verizon Voicewing and Linksys PAP2-VN
Product: Verizon voicewing combined with Linksys PAP2-VN
Reported by: Haavar Valeur
Status: Vendor unwilling to address the problem
Reported: Mar 15, 2006
I found a way it is possible to make and receive calls from other Verizon
accounts.
The problem is that Verizon publishes encrypted configuration files containing
the username and password. These files are published through tftp and http, and
are publicly readable. A vulnerability is created because the PAP2-VN adapter
trusts the web server to give it the correct file. The PAP2 adapter accepts and
decrypts configuration files for other accounts if they are available at the
URI where the adapter expects to find it's configuration file.
The following steps can be made by anyone with a PAP2-VN adapter to access
random users accounts:
1) Create a subnet that you are able to isolate from the internet
2) Block all TFTP access from the subnet to the Internet. This will make the
adapter failover to http (I did not bother to set up a tftp server).
3) Redirect all HTTP request made from the subnet to a web server you control
(possible with e.g. iptables)
4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to
get the config file.
5) Look in the web server access log or tcpdump to find what URL the PAP2 tries
to access on the web server
6) The URL should contain the MAC address of the PAP2. Try finding another
valid mac by changing one of the least significant digits, and download the
file from verizons web server.
7) Rename the file you downloaded to the filename the PAP2 tried to access and
put it on the web server so the PAP2 will download this file.
8) The PAP2 will download and decrypt this file containing the account
information of the other user and connect to the SIP server.
9) Now you can make and receive calls from another account
This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but
could apply to other vendors using this adapter.