Posts Rooting Mitel Desk Phones Through the Backdoor (CVE-2022-29854, CVE-2022-29855)
Post
Cancel

Rooting Mitel Desk Phones Through the Backdoor (CVE-2022-29854, CVE-2022-29855)

Abstract

During a security analysis of an enterprise communication infrastructure, IT security expert Moritz Abrell identified an “undocumented functionality” (backdoor) in the firmware of Mitel 6800/6900 desk phones, which allows a physical attacker gaining root privileges on the phone. The vulnerability was reported to the manufacturer Mitel Networks Corporation as part of our responsible disclosure process. Appropriate patches to fix this issue were provided by Mitel.

Further information can be found in our security advisory SYSS-2022-021, the CVE IDs CVE-2022-29854 and CVE-2022-29855, as well as on the vulnerability reports 22-0003 and 22-0004 provided by the manufacturer.

The following section includes technical details and a demonstration of the exploitation.

Technical details

As shown below, the firmware of a Mitel desk phone contains a JFFS2 file system:

1
2
3
4
5
6
7
#> binwalk 6867i.st

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
347           0x15B           Linux kernel ARM boot executable zImage (little-endian)
15695         0x3D4F          gzip compressed data, maximum compression, from Unix, last modified: 2021-10-22 10:47:08
1223395       0x12AAE3        JFFS2 filesystem, little endian

After extracting and mounting it, the embedded Linux file system can be accessed:

1
2
3
4
5
6
7
8
9
10
11
#> binwalk -e 6867i.st

#> modprobe jffs2

#> modprobe mtdram total_size=70000

#> modprobe mtdblock

#> dd if=_6867i.st.extracted/12AAE3.jffs2 of=/dev/mtdblock0

#> mount -t jffs2 /dev/mtdblock0 /mnt

Inside the mounted Linux file system, a file named ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin located in the etc folder, contains another JFFS2 file system:

1
2
3
4
5
6
7
#> binwalk ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
160           0xA0            Linux kernel ARM boot executable zImage (little-endian)
17951         0x461F          gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2006456       0x1E9DB8        JFFS2 filesystem, little endian

After extracting and mounting this JFFS2 file system too, a script named check_mft.sh located in the etc folder can be accessed, which contains the backdoor logic. This script is executed at system boot by the rcS script of init daemon.

The check_mft.sh checks if the * and the # keys are pressed and hold simultaneously at system startup:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#press and hold *  # two keys at the same time  
     "6873i" | "6940" )
        echo "HOSTNAME = $HOSTNAME"
        GPIODetect=`gpio get 24`
        GPIO28=`gpio get 28`
        if [ $GPIO28 -eq "1" ]; then
            GPIODetect="0"
            isCCATest="TRUE"
        fi      
        keyBoardScanMatch="TRUE"
        KeyCombMatch1=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 01ff 01d7 01ff 01ff 01ff 01ff 01ff"`
        KeyCombMatch2=`dbg rw 0x8000d000 8| grep "0x8000d000: 00ff 00ff 00d7 00ff 01ff 00ff 01ff 00ff"`
    ;;

After that, the static IP address 10.30.102.102 and a static root password is set and a telnet service is started:

1
2
3
4
5
6
7
8
9
ifconfig eth0 10.30.102.102 netmask 255.255.255.0 up

...

if [ -f /usr/sbin/telnetd ]; then
     # make sure the default password is set for root.
     (echo *redacted*; sleep 1; echo *redacted*) | passwd -a A
     telnetd &
fi

The actual password has been removed due to security reasons.

An exploitation demonstration of this backdoor can be seen in our SySS Proof-of-Concept video Rooting Mitel Desk Phones Through the Backdoor:

This post is licensed under CC BY 4.0 by the author.