DBLTek GoIP Devices Challenge-Response Authentication Backdoor Vulnerability in Telnet Interface

A backdoor vulnerability has been identified in the Telnet administrative interface of DBLTek GoIP devices, specifically models 1, 4, 8, 16, and 32. This vulnerability allows remote authentication as an undocumented user through a flawed challenge-response authentication scheme. The challenge-response mechanism can be exploited to compute the response and gain unauthorized access, leading to a root shell on the device. This exploitation allows for persistent remote code execution, full device compromise, and arbitrary control over the device and its managed services. Although a firmware update was released in December 2016 that aimed to complicate the exploitation of this vulnerability, it remains unclear whether DBLTek has fully addressed the issue.

Impact

Exploitation of this vulnerability allows for unauthorized access to the device with root privileges, enabling a full compromise of the device and its services. According to Trustwave, this vulnerability could be exploited to create a botnet of compromised GoIP devices.

Reproduction

To reproduce this vulnerability, connect to the device's Telnet interface using a client that allows for manual input of the challenge-response authentication. Once connected, log in as the 'dbladm' user, which will prompt a challenge. The response can be computed using the challenge, taking advantage of the flawed authentication scheme. After successfully authenticating, access a root shell on the device.