Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJesus OquendoPACKETSTORM:127081
HistoryJun 13, 2014 - 12:00 a.m.

Yealink VoIP Phones XSS / CRLF Injection

2014-06-1300:00:00
Jesus Oquendo
packetstormsecurity.com
24

0.038 Low

EPSS

Percentile

90.9%

JSON
`  
I. ADVISORY  
  
CVE-2014-3427 CRLF Injection in Yealink VoIP Phones  
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones  
  
Date published: 06/12/2014  
Vendor Contacted: 05/08/2014  
  
  
II. BACKGROUND  
  
Yealink is a manufacturer of VoIP and Video products. To  
minimize noise read more at:  
  
http://www.yealink.com/Companyprofile.aspx  
  
  
III. DESCRIPTION  
  
There are CRLF Injection and XSS vulnerabilities in Yealink  
VoIP telephones. Validated on   
  
Firmware Version 28.72.0.2  
Hardware Version 28.2.0.128.0.0.0  
  
CRLF Injection (Header Splitting) proof of concept:  
  
Request  
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1  
  
In the above request, attackers can shove in code, webpages,  
etc. In my tests, I have used javascript, redirects, and even  
an entire web page shoved into the CRLF vulnerable inputs.  
  
  
-----  
  
  
The XSS vulnerability  
  
GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1  
  
Typical Cross Site Scripting.  
  
  
IV. SOLUTION  
  
Minimize accessibility to the phone's interface.  
  
  
V. VENDOR CONTACT AND RESPONSE  
  
05/08/2014 E-mailed [email protected] (bounced)  
05/08/2014 Created an account on Yealink's forum and  
sent message (no response for weeks)  
05/26/2014 Response via e-mail from Yealink  
05/26/2014 Replied to vendor I would disclose in June  
06/01/2014 Reached back out to vendor for update  
06/08/2014 Reached back out to vendor for update  
06/11/2014 Rouched out one last time... Crickets  
06/12/2014 Advisory  
  
  
VI. TOOLS USED  
  
Burpsuite, WVS, Firefox  
  
  
  
--   
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
J. Oquendo  
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM  
  
"Where ignorance is our master, there is no possibility of  
real peace" - Dalai Lama  
  
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF  
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF  
  
  
`

Related

securityvulns 2
prion 2
cve 2
securityvulns
securityvulns
Yealink VoIP phones security vulnerabilities
2014-06-13 00:00:00
CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones
2014-06-13 00:00:00
prion
prion
Cross site scripting
2014-06-16 18:55:00
Crlf injection
2014-07-16 14:19:00
cve
cve
CVE-2014-3428
2014-06-16 18:55:00
CVE-2014-3427
2014-07-16 14:19:00

0.038 Low

EPSS

Percentile

90.9%

JSON
Related for PACKETSTORM:127081
securityvulns2prion2cve2