Sense of Security - Security Advisory - SOS-12-001 Release Date. 23-Feb-2012 Last Update. - Vendor Notification Date. 27-Jan-2012 Product. Snom IP Phone series Platform. Hardware Affected versions. All versions prior to v8.4.35 Severity Rating. High Impact. Privilege escalation Attack Vector. Remote without authentication Solution Status. Vendor patch CVE reference. CVE - not yet assigned Details. The privilege escalation is possible because the form used to login as the admin user is the same form for resetting the admin password, and the user is not required to enter their old password when changing their password. This form is also vulnerable to Cross-Site Request Forgery (CSRF). This issue is exploitable on the following pages: Version 7, 8: http://x.x.x.x/advanced_network.htm Version 6 and below: http://x.x.x.x/advanced.htm Where an attacker can reset the Administrator password by removing all password attempt variables and adding the following POST data: admin_mode=on admin_mode_password=newpass admin_mode_password_confirm=newpass Settings=Save hidden_tag=(leave as the current post variable if CSRF protection is enabled in firmware versions 7.1.33 and above) After sending the request the attacker can now login as the Administrator with the credentials specified in the above request. Proof of Concept.