Yealink VoIP Phones XSS / CRLF Injection

2014-06-13T00:00:00
ID PACKETSTORM:127081
Type packetstorm
Reporter Jesus Oquendo
Modified 2014-06-13T00:00:00

Description

                                        
                                            `  
I. ADVISORY  
  
CVE-2014-3427 CRLF Injection in Yealink VoIP Phones  
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones  
  
Date published: 06/12/2014  
Vendor Contacted: 05/08/2014  
  
  
II. BACKGROUND  
  
Yealink is a manufacturer of VoIP and Video products. To  
minimize noise read more at:  
  
http://www.yealink.com/Companyprofile.aspx  
  
  
III. DESCRIPTION  
  
There are CRLF Injection and XSS vulnerabilities in Yealink  
VoIP telephones. Validated on   
  
Firmware Version 28.72.0.2  
Hardware Version 28.2.0.128.0.0.0  
  
CRLF Injection (Header Splitting) proof of concept:  
  
Request  
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1  
  
In the above request, attackers can shove in code, webpages,  
etc. In my tests, I have used javascript, redirects, and even  
an entire web page shoved into the CRLF vulnerable inputs.  
  
  
-----  
  
  
The XSS vulnerability  
  
GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1  
  
Typical Cross Site Scripting.  
  
  
IV. SOLUTION  
  
Minimize accessibility to the phone's interface.  
  
  
V. VENDOR CONTACT AND RESPONSE  
  
05/08/2014 E-mailed security@yealink.com (bounced)  
05/08/2014 Created an account on Yealink's forum and  
sent message (no response for weeks)  
05/26/2014 Response via e-mail from Yealink  
05/26/2014 Replied to vendor I would disclose in June  
06/01/2014 Reached back out to vendor for update  
06/08/2014 Reached back out to vendor for update  
06/11/2014 Rouched out one last time... Crickets  
06/12/2014 Advisory  
  
  
VI. TOOLS USED  
  
Burpsuite, WVS, Firefox  
  
  
  
--   
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
J. Oquendo  
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM  
  
"Where ignorance is our master, there is no possibility of  
real peace" - Dalai Lama  
  
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF  
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF  
  
  
`