Multiple Zoom Telephonics Devices Multiple Security Vulnerabilities

ID EDB-ID:38632
Type exploitdb
Reporter Kyle Lovett
Modified 2013-07-09T00:00:00


Multiple Zoom Telephonics Devices Multiple Security Vulnerabilities. CVE-2013-5620. Remote exploit for hardware platform


Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability.

Exploiting these issues could allow an attacker to gain unauthorized access and perform arbitrary actions, obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Vulnerability proofs and examples-
All administrative items can be accessed through these two URLs

--Menu Banner

-Advanced Options Menu

Example commands that can be executed remotely through a web browser
URL, or a modified HTTP GET/POST requests-

-Change Password for admin Account

On Firmware 2.5 or lower

On Firmware 3.0-

-Clear Logs

-Remote Reboot to Default Factory Settings-
Warning - For all intents and purposes, this action will almost always
result in a long term Denial of Service attack.

-Create New Admin or Intermediate Account-
On Firmware 2.5 or lower"newintermediateac

On Firmware 3.0-