Abstract
During a security analysis of an enterprise communication infrastructure, IT security expert Moritz Abrell identified an “undocumented functionality” (backdoor) in the firmware of Mitel 6800/6900 desk phones, which allows a physical attacker gaining root privileges on the phone. The vulnerability was reported to the manufacturer Mitel Networks Corporation as part of our responsible disclosure process. Appropriate patches to fix this issue were provided by Mitel.
Further information can be found in our security advisory SYSS-2022-021, the CVE IDs CVE-2022-29854 and CVE-2022-29855, as well as on the vulnerability reports 22-0003 and 22-0004 provided by the manufacturer.
The following section includes technical details and a demonstration of the exploitation.
Technical details
As shown below, the firmware of a Mitel desk phone contains a JFFS2 file system:
1
2
3
4
5
6
7
#> binwalk 6867i.st
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
347 0x15B Linux kernel ARM boot executable zImage (little-endian)
15695 0x3D4F gzip compressed data, maximum compression, from Unix, last modified: 2021-10-22 10:47:08
1223395 0x12AAE3 JFFS2 filesystem, little endian
After extracting and mounting it, the embedded Linux file system can be accessed:
1
2
3
4
5
6
7
8
9
10
11
#> binwalk -e 6867i.st
#> modprobe jffs2
#> modprobe mtdram total_size=70000
#> modprobe mtdblock
#> dd if=_6867i.st.extracted/12AAE3.jffs2 of=/dev/mtdblock0
#> mount -t jffs2 /dev/mtdblock0 /mnt
Inside the mounted Linux file system, a file named ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin located in the etc folder, contains another JFFS2 file system:
1
2
3
4
5
6
7
#> binwalk ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
160 0xA0 Linux kernel ARM boot executable zImage (little-endian)
17951 0x461F gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2006456 0x1E9DB8 JFFS2 filesystem, little endian
After extracting and mounting this JFFS2 file system too, a script named check_mft.sh located in the etc folder can be accessed, which contains the backdoor logic. This script is executed at system boot by the rcS script of init daemon.
The check_mft.sh checks if the * and the # keys are pressed and hold simultaneously at system startup:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#press and hold * # two keys at the same time
"6873i" | "6940" )
echo "HOSTNAME = $HOSTNAME"
GPIODetect=`gpio get 24`
GPIO28=`gpio get 28`
if [ $GPIO28 -eq "1" ]; then
GPIODetect="0"
isCCATest="TRUE"
fi
keyBoardScanMatch="TRUE"
KeyCombMatch1=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 01ff 01d7 01ff 01ff 01ff 01ff 01ff"`
KeyCombMatch2=`dbg rw 0x8000d000 8| grep "0x8000d000: 00ff 00ff 00d7 00ff 01ff 00ff 01ff 00ff"`
;;
After that, the static IP address 10.30.102.102 and a static root password is set and a telnet service is started:
1
2
3
4
5
6
7
8
9
ifconfig eth0 10.30.102.102 netmask 255.255.255.0 up
...
if [ -f /usr/sbin/telnetd ]; then
# make sure the default password is set for root.
(echo *redacted*; sleep 1; echo *redacted*) | passwd -a A
telnetd &
fi
The actual password has been removed due to security reasons.
An exploitation demonstration of this backdoor can be seen in our SySS Proof-of-Concept video Rooting Mitel Desk Phones Through the Backdoor: