Obihai Technology recently patched vulnerabilities in its ObiPhone IP phones that could have led to memory corruption, buffer overflow, and denial of service conditions, among other outcomes. The California-based company manufactures IP-enabled phones and VOIP telephone adapters it calls OBi devices. David Tomaschik, a member of Google’s security team, discovered the issues in ObiPhone during a black box security assessment earlier this spring. It only took a few weeks for the company to rectify the vulnerabilities; the bugs were brought to Obihai’s attention on May 12 and the company began working on patches on May 20, before it pushed new firmware live in June.
It wasn’t until late last week that Tomaschik was able to publicly disclose the issues. The bugs were found in the web management interface of Obihai’s ObiPhone products and disclosed in a post to the Full Disclosure mailing lists. An authenticated user could exploit one of the more troubling bugs, a command injection vulnerability in the device’s WiFi configuration, to access telnet, via user “root” without a password, according to Tomaschik. Two other issues – one that stems from invalid content length headers, another which stems from a buffer overflow – could result in a denial of service condition and prompt the devices to crash and reboot, the engineer said. All portions of the phone’s web interface fail to protect against CSRF, Tomaschik said. That means a remote attacker could use the buffer overflow from the aformentioned DoS bug to execute arbitrary shell commands. “Combined with the command injection vector in ObiPhone-3 [denial of service due to buffer overflow] this would allow a remote attacker to execute arbitrary shell commands on the phone, provided the current browser session was logged-in to the phone,” Tomaschik warns. The device also fails to implement RFC 2617 (.txt) or simple HTTP authentication, according to the engineer. While the phone specifies HTTP, it doesn’t correctly implement it, meaning it can’t verify Uniform Resource Identifiers, or the authenticity of nonces or nc-values. Users, if they haven’t already, are being encouraged by the company and Tomaschik alike to upgrade their devices to firmware 5-0-0-3497 (5.0.0 build 3497) or newer to address the vulnerabilities. Users can either download the update manually or in some instances, via an automated update process or touch tone phone update process, according to a forum post the company maintains on firmware updates for OBi devices.