Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Yealink VoIP Phones XSS / CRLF Injection

🗓️ 13 Jun 2014 00:00:00Reported by Jesus OquendoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Yealink VoIP Phones XSS / CRLF Injection advisory. Vulnerabilities in Firmware Version 28.72.0.2 and Hardware Version 28.2.0.128.0.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2014-3427
12 Jun 201400:00
circl
CVE		CVE-2014-3427
16 Jul 201414:00
cve
CVE		CVE-2014-3428
16 Jun 201418:00
cve
Cvelist		CVE-2014-3427
16 Jul 201414:00
cvelist
Cvelist		CVE-2014-3428
16 Jun 201418:00
cvelist
EUVD		EUVD-2014-3440
7 Oct 202500:30
euvd
EUVD		EUVD-2014-3441
7 Oct 202500:30
euvd
NVD		CVE-2014-3427
16 Jul 201414:19
nvd
NVD		CVE-2014-3428
16 Jun 201418:55
nvd
Prion		Crlf injection
16 Jul 201414:19
prion
Rows per page
`  
I. ADVISORY  
  
CVE-2014-3427 CRLF Injection in Yealink VoIP Phones  
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones  
  
Date published: 06/12/2014  
Vendor Contacted: 05/08/2014  
  
  
II. BACKGROUND  
  
Yealink is a manufacturer of VoIP and Video products. To  
minimize noise read more at:  
  
http://www.yealink.com/Companyprofile.aspx  
  
  
III. DESCRIPTION  
  
There are CRLF Injection and XSS vulnerabilities in Yealink  
VoIP telephones. Validated on   
  
Firmware Version 28.72.0.2  
Hardware Version 28.2.0.128.0.0.0  
  
CRLF Injection (Header Splitting) proof of concept:  
  
Request  
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1  
  
In the above request, attackers can shove in code, webpages,  
etc. In my tests, I have used javascript, redirects, and even  
an entire web page shoved into the CRLF vulnerable inputs.  
  
  
-----  
  
  
The XSS vulnerability  
  
GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1  
  
Typical Cross Site Scripting.  
  
  
IV. SOLUTION  
  
Minimize accessibility to the phone's interface.  
  
  
V. VENDOR CONTACT AND RESPONSE  
  
05/08/2014 E-mailed [email protected] (bounced)  
05/08/2014 Created an account on Yealink's forum and  
sent message (no response for weeks)  
05/26/2014 Response via e-mail from Yealink  
05/26/2014 Replied to vendor I would disclose in June  
06/01/2014 Reached back out to vendor for update  
06/08/2014 Reached back out to vendor for update  
06/11/2014 Rouched out one last time... Crickets  
06/12/2014 Advisory  
  
  
VI. TOOLS USED  
  
Burpsuite, WVS, Firefox  
  
  
  
--   
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
J. Oquendo  
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM  
  
"Where ignorance is our master, there is no possibility of  
real peace" - Dalai Lama  
  
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF  
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jun 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.03499
yealinkvoip phonesxsscrlf injectionvulnerabilitiesfirmwarehardwaresecurity contactadvisoryproof of conceptcross site scriptingburpsuite
36