Canadian Telcos Patch an APT-Ready Flaw in Disability Services

Canadian telcos have patched a widespread local file-disclosure flaw in disability services that allow people who are deaf, hard of hearing, or have a speech disorder to place calls through a text telephone or other assistive devices.

The vulnerability opens the door for widespread attacks on telephone customers’ information, according to researchers – affecting 30 million subscribers in Canada alone.

The flaw exists in the seven-year-old SOLEO IP Relay platform from Soleo Communications; it’s a cloud-based IP relay service that telcos can implement to allow hearing-impaired customers with verified credentials to initiate and conduct outbound voice via a web browser application. An IP relay agent acts as the “translator” between the hearing-impaired customer and the recipient of the call. A voice user can also initiate a session to a hearing-impaired customer by dialing the assigned number of that customer, which is also accessible by an IP relay agent. The caller provides the identification number of the customer they want to contact and, if that customer is logged in, the relay agent passes messages between the parties. If the customer is unavailable, the relay agent may leave an offline text message which can be retrieved at the customer’s discretion.

Dominik Penner of Project Insecurity and fellow researcher Manny Mand uncovered that a vulnerability would allow bad actors to steal passwords and identities on a broad scale.

“A determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then ​potentially​ launch a large-scale identity theft operation,” Penner explained in his overview of the vulnerability [PDF].

The researchers uncovered the problem when visiting the login page of a Canadian telecom provider’s SOLEO IP Relay client. They noticed that if someone were to click the “forgot password” link, it would bring them to a [https://<host>.<tld>/IPRelayApp/servlet/IPRelay?page=forgotPassword] URL with an obvious GET “page” parameter. Using HTTP parameter poisoning, they were able to subvert the servlet’s security mechanism that helps it to avoid loading sensitive files by simply adding an ellipse at the end of the parameter.

Thus, they were able to fool the server into thinking it was about to receive a legitimate parameter, allowing them to provide their own. From there, the team was able to map the “IPRelayApp” directory and uncover the location of various files on the IP relay server. One of those files was the WEB-INF directory, which opened the door to parsing for source-code files.

Though these were compiled in Java bytecode, “a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive files,” Penner explained. These could then be downloaded by the attacker.

“This vulnerability exists due to the fact that there is improper sanitization on the ‘page’ GET parameter in servlet/IPRelay,” Penner noted. “A developer should always check for dangerous characters in filenames. In this case we were able to navigate our way through the server and into the WEB-INF directory by using directory traversal characters (../).”

The scenario gets worse, however: The source code also includes passwords that the servlet uses to communicate with other services, such as SQL/LDAP. So, an enterprising attacker could lift the passwords to escalate privileges on the server, further penetrating the network, harvesting customer information or using the data to mount credible social-engineering campaigns.

“The end result could be escalated to yield remote code-execution, though we were not comfortable attempting to do this before getting in contact with the vendor,” Penner said in his write-up. He added that he did, indeed, contact Soleo, which issued a patch but did not want to go public with the flaw, which prompted Penner to release his findings this week.

At least 10 Canadian ISPs were found to be running the vulnerable instance of Soleo’s IP Relay, including Bell Aliant, Bell Canada, Cogeco, MTS, Rogers, Sasktel, Shaw Communications, Telus and Videotron, plus a range of smaller players like Chatr and Fido. Project Insecurity revealed in a tweet yesterday that they were all patched.

“Essentially every ISP in Canada uses Soleo’s IP Relay service,” Penner said. “Seeing as Canada’s federal elections are coming up in 2019, this vulnerability could have had detrimental effects for Canadian citizens who confide in these providers to safeguard their identity.”

However, the Soleo IP Relay footprint isn’t restricted to Canada (the company is based in Rochester, N.Y.), and it’s unclear whether telcos in the U.S. and elsewhere would be similarly vulnerable.

Threatpost has reached out to Soleo and the Project Insecurity team for clarification and will update this post with any responses.