Full Disclosure mailing list archives
Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023
From: Shawn Merdinger <shawnmer () gmail com>
Date: Mon, 16 Jan 2006 14:12:18 -0800
I disclosed the following issue at ShmooCon 2006 <http://www.shmoocon.org/> during my "VoIP Wireless Phone Security Analysis" presentation. Thanks, --scm =============================================================== VENDOR: Clipcomm VENDOR NOTIFIED: 7 December, 2005 PRODUCT: Clipcomm CP-100E VoIP 802.11b Wireless Phone http://www.clipcomm.co.kr/down/brochure/CP-100.100D.100P.100E.101.101B.pdf Firmware Version: 1.1.60 VULNERABILITY TITLE: Clipcomm CP-100E VoIP Wireless Phone open debug service TCP/60023 DETAILS, IMPACT AND WORKAROUND: An undocumented port and debug service on TCP/60023 enables an attacker to access without authentication the phone's configuration/debug shell via telnet. The shell access provides the attacker with two levels of access. The first level is the CLIP account that allows general configuration. The second level is the USH shell, accessed from within the CLIP shell, that allows an attacker to enable call tracing and debugging, conduct a factory reset, write to registers, dump memory, etc. There appears to be no means to neither disable this access nor enable authentication. CONTACT INFORMATION: Shawn Merdinger shawnmer () gmail com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023 Shawn Merdinger (Jan 16)