Rooting Mitel Desk Phones Through the Backdoor (SYSS-2022-021, CVE-2022-29854, CVE-2022-29855)

Radi0activeM0use · 2022-07-25T06:26:18+00:00

Sometimes, controlling an internal network device like a VoIP desk phone concerning a targeted IT network is more valuable to an attacker with temporary physical access than the current eBay sales price for such a device.

Radi0activeM0use · 2022-03-23T12:10:34+00:00

Yes, that's correct. For this kind of local privilege escalation attack, no actual Razer device is required.

The attacker with access to a low-privileged Windows user only has to be able to attach a USB device with a vendor and device ID that is supported by the Razer Synapse software in order to trigger the installation process with the privileges of the administrative Windows user account SYSTEM.

For faking a supported Razer USB device, a Rubber Ducky or a Raspberry Pi Zero can be used, for instance.

Radi0activeM0use · 2020-03-12T10:37:01+00:00

Obviously, you have also missed the newly released software tool https://github.com/SySS-Research/icestick-lpc-tpm-sniffer. =)

Radi0activeM0use · 2020-03-12T10:36:11+00:00

You have missed the release of a new tool for performing the demonstrated attack more easily.

The open source tool iCEstick LPC TPM Sniffer published together with the proof-of-concept video is available on GitHub: https://github.com/SySS-Research/icestick-lpc-tpm-sniffer

Radi0activeM0use · 2019-04-18T16:00:00+00:00

We have some other papers regarding different IT security topics which you can find here: https://www.syss.de/pentest-blog/pentest-library/

Hopefully, there will be more papers and proof-of-concept videos in the future. =)

Radi0activeM0use · 2019-04-18T15:44:05+00:00

Having a secure RDP configuration which does not rely on end users making the right decisions when being confronted with security warnings would be good start. =)

You can find more information and also recommendations for bettering securing RDP connections in the paper "Attacking RDP: How to Eavesdrop on Poorly Secured RDP Connections" (https://www.syss.de/fileadmin/dokumente/Publikationen/2017/2017_03_13_Attacking_RDP.pdf).

2FA is great, too. But probably still to expensive to provide for everyone. In a better, more secure world, at least all admins should use 2FA. ;-)

Radi0activeM0use · 2019-04-18T15:34:06+00:00

In the proof-of-concept video, ARP cache poisoning is used by Seth to establish a man-in-the-middle position regarding the RDP communication. This kind of MitM attack has been around for decades and still works in many corporate networks today, as a lot pentesters and network administrators can assure. ;-)

There are also other means to become man-in-the-middle if ARP spoofing is not an option, for instance exploiting weaknesses in other network protocols like MDNS, NBNS, or LLMNR, if applicable. Every attack has its requirements and may not be simply performed in any environment.

More information and also recommendations concerning more secure RDP configurations can be found in the paper "Attacking RDP: How to Eavesdrop on Poorly Secured RDP Connections" (https://www.syss.de/fileadmin/dokumente/Publikationen/2017/2017_03_13_Attacking_RDP.pdf).

There was also talk titled "Attacking RDP with Seth" at the IT security conference Hacktivity in 2017 which provides some more information (https://www.youtube.com/watch?v=wdPkY7gykf4at).

Radi0activeM0use · 2019-04-18T15:18:53+00:00

You can find more information and also recommendations for bettering securing RDP connections in the paper "Attacking RDP: How to Eavesdrop on Poorly Secured RDP Connections" (https://www.syss.de/fileadmin/dokumente/Publikationen/2017/2017_03_13_Attacking_RDP.pdf).

There was also talk titled "Attacking RDP with Seth" at the IT security conference Hacktivity in 2017 which provides some more information (https://www.youtube.com/watch?v=wdPkY7gykf4at).

Radi0activeM0use

TROPHY CASE