CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.
Vulnerability details
The following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities – Cisco) details CVE-2023-20078 and CVE-2023-20079. This vulnerability affects Cisco 6800, 7800 and 8800 Series IP Phones with Multiplatform Firmware Release earlier than 11.3.7SR1. The details section for CVE-2023-20078 describes the vulnerability as: “A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800 and 8800 Series Multiplatform Phones could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.” Like many vulnerability disclosures, information concerning triggering the vulnerability is limited to: “This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.” Cisco assigned the Bug Number: CSCwc78400 for this vulnerability. CVE-2023-20078 is assigned a CVSS Base Score of 9.8.
Official fix
The previously mentioned Cisco Security Advisory explicitly states Cisco has released software updates that address CVE-2023-20078 and CVE-2023-20079 and that there are no workarounds available. Cisco specifically addresses these vulnerabilities in a follow-on firmware: Firmware Version 11.3(7)SR1.
Testing hardware
Testing was conducted on a Cisco IP Phone 6841 with Multiplatform Firmware version 11.3.7 installed. I managed to secure an unboxed phone from eBay on the cheap. You may find a datasheet on this device here: (Cisco IP Phone 6800 Series with Multiplatform Phone Firmware Data Sheet – Cisco).
What is multiplatform firmware?
An important detail regarding this vulnerability is it’s limited to Cisco 6800, 7800 and 8800 Series IP Phones which are running a vulnerable release of Cisco Multiplatform Firmware. Knowing little about IP Phones and the Cisco product line, this detail raises the question, “What is Multiplatform Firmware?”. Cisco describes Multiplatform Firmware (MPP) stating “The MPP line is designed for Webex Calling and compatible with third-party platforms, allowing you to deploy it your way.” (Cisco IP Phones with Multiplatform Firmware (MPP) – Cisco). Based upon this description, it appears MPP provides hardware support for an alternative to the IP call agent you may be familiar with: Cisco Unified Communications Manager (CUCM).
Release notes analysis
The following link (Cisco IP Phone 6800 Series Multiplatform Phones Release Notes for Firmware Release 11.3(7)SR1 – Cisco) includes release notes for the patched firmware. Detailed in this Release Note document includes a resolved bugs table, which mentions the bug number for CVE-2023-20078, CSCwc78400. Its description provides useful information in narrowing our focus on identifying where the vulnerability may lie in the firmware: “Command injection during PRT file generation”. The Release Notes also provide additional, detailed information outlined in the “Changes in this release” section. The “PRT (Problem Report Tool) file name restrictions” section seems to support our thought that the command injection vulnerability lies somewhere in this PRT file generation function. The sentence describing the restrictions includes a juicy detail that we’ll come back to later in this article: “This firmware does not allow the use of “.” character in PRT name either used directly or included as a part of the macro variable”. All of this information should increase our confidence even more about where this vulnerability lies: Somewhere in a function related to PRT file generation.
What is a PRT file?
The following document (Report Phone Issues on the Cisco IP Phone 8800 Series Multiplatform Phone – Cisco) describes what a Problem Reporting Tool (PRT) file is, and provides excellent documentation on how to generate and collect one. “The Problem Reporting Tool (PRT) on the Cisco 8800 Series IP Phone allows you to collect and send phone logs to your administrator. These logs are necessary for troubleshooting in case you run into phone issues”. This document will prove extremely useful in understanding how to trigger “PRT file generation”, as well as possible input sinks for the command injection vulnerability. Let’s remember these for later.
Figure 1 – Three Possible Input Sinks for the Command Injection Vulnerability
Figure 2 – An Example of a PRT File Ready for Download
Firmware analysis – Obtaining the vulnerable web management binary
The latest vulnerable firmware is available for download at Software Download – Cisco Systems. Utilizing the open source project binwalk (GitHub – ReFirmLabs/binwalk: Firmware Analysis Tool), I successfully extracted the root filesystem, encapsulated in the rootfs2.68xx.11-3-7MPP0001-272.sbn binary file.
Figure 3 – 68XX Root File System
With enough GREP-fu, it is possible to identify the binary which ultimately serves the Web Management User Interface containing the vulnerability: /usr/mbin/spr_voip. However, I later discovered that the easiest way to find this binary was to look at a PRT file. After generating a valid PRT file, investigating the “show-output-{DATE}-{TIME}.log” (An example file would be “show-output-20240115-142558.log”), you can see what appears to be a netstat output (Figure 4) which shows the spr_voip binary listening on TCP port 80. Bingo! Let’s analyze this binary.
Figure 4 – spr_voip Binary Listening on Port 80
Binary analysis – Investigating spr_voip
Generating our own legitimate PRT file we can also identify which web route handles PRT file generation. By intercepting the request with a proxy, we’re able to identify that “/genprt” is responsible for handling PRT file generation requests. We also get a better understanding of the expected request and response body messages:
Request:
POST /genprt HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.86.33/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 192.168.86.33
Content-Length: 362
Pragma: no-cache
Connection: close
2012-01-15&13:55:29&Other
|
Scroll to view full table
Response:
HTTP/1.1 200 OK
Date: Mon, 15 Jan 2024 21:02:21 GMT
Last-Modified: Mon, 15 Jan 2024 21:02:21 GMT
Etag: 65a59d5d.6b
Content-Type: application/json
Content-Length: 107
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors none
Strict-Transport-Security: max-age=31536000; includeSubDomains
Connection: close
Accept-Ranges: bytes
{
“url”: “”,
“status”: “0”,
“uploadStatus”: “3”,
“prtfile”: “prt-20240115-150203-0CD0F8F52A36.tar.gz”
}
|
Scroll to view full table
With our “/genprt” knowledge in hand, let’s import and begin analyzing spr_voip in Ghidra and find where the Command Injection vulnerability lies. Using the String Search feature in CodeBrowser, we can search for the string “genprt” and view results.
Figure 5 – /genprt String in spr_voip Binary
At location 003e2168 we see the object DAT_003e2168. If we view references to DAT_003e2168, we see only one reference at 001c4368:
Figure 6 – References to /genprt String in spr_voip
001c4368 is part of a larger function, serving as spr_voip’s request handler (Identified as UndefinedFunction_001cf338 in Figure 7). Looking at the decompiled code, we see the function “handl_prt_gen” is called if the request is destined for “/genprt”.
Figure 7 – spr_voip Request Handler
Observing the decompiled output for handl_prt_gen, we can see the gen_prt_file function being called:
Figure 8 – handl_prt_gen Function
The gen_prt_file function is where the excitement is at. Starting at line 91, we see a PRT file name string being created and passed to larger strings, which appear to create a command (line 99 or line 102). This string is then passed to exec_prt_cmd (lines 100 or 103). We’ve identified two possible input sinks! (/usr/bin/genprt_infra and /usr/bin/genprt.sh) The command injection alarms are sounding! After analyzing both, genprt.sh is where we should focus our attention.
Figure 9 – Possible Input Sink for Command Injection
Our input sink – genprt.sh
Viewing genprt.sh, the comment at the top of the file, “Script used to generate prt file”, tells us we are getting closer.
Figure 10 – genprt.sh Script
We also see where our input sink is used in the script, captured as $filename:
if [ -z $1 ] ; then
ext=$(date
filename= “prt-$ext.tar.gz”
else
filename= $1
logit “prt filename $filename”
|
Scroll to view full table
At the bottom of the script, we see where our input sink, $filename, is used, to compress a directory containing all of the files necessary for the PRT tar.gz file. There is our Command Injection!
Figure 11 – genprt Command Injection Vulnerability
If we recall the response body for a legitimate PRT file generation request, the PRT file had a filename like: “prtfile”: “prt-20240115-150203-0CD0F8F52A36.tar.gz”, where 0CD0F8F52A36 is the MAC Address of the device. We can see this filename matches the naming convention found in the true condition of the if statement: filename= “prt-$ext.tar.gz”. The question is how can we ensure our input sink is passed to the $filename variable (filename= $1)?
Release notes: Remember “macro variable”?
After tedious levels of static analysis on spr_voip, I reviewed the Release Notes once more. The statement: “This firmware does not allow the use of “.” character in PRT name either used directly or included as a part of the macro variable.” caught my eye once more.
What is a macro variable?
Buried deep within the following document (Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later – Phone Features and Setup [Cisco IP Phone 8800 Series with Multiplatform Firmware] – Cisco), Macro Variables are described: “You can use macro variables in XML URLs. The following macro variables are supported:…”. The Macro Variables GPP_A through GPP_P caught my attention. The document describes these macros as “general-purpose parameters”.
Investigating the Web Interface for the device, I discovered that the GPP Macros may be set under /admin/advanced -> Voice -> Provisioning Tabs. By default, the admin routes are not password protected.
Secondarily, I observed the PRT Name: field. After reading the documentation further and testing, I discovered I can apply a GPP Macro by using the ${GP Parameter} in the field. By setting the GPP A: parameter as “;{command};” and then setting the PRT Name: to “prt-$A”, and then generating a new PRT file, I can successfully achieve command injection!
Figure 12 – Setting GPP Macros for Command Injection
Figure 13 – Triggering PRT File Generation Once More
Figure 14 – Confirming Command Injection
Conclusion
At first glance, CVE-2023-20078 provides little useful information necessary for exploitation. However, by combining Cisco Security Advisories, Release Notes and Product Documentation with firmware analysis, it is possible to derive how to trigger the vulnerability. With this knowledge in hand, there are multiple avenues for acquiring a shell on the device; however, I will leave this as a challenge to the reader.
Red Team Operator - Adversary Services - IBM