Summary
This host is running Yealink VoIP Phone and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote attackers to trivially gain privileged access to the device, execute arbitrary commands and gain access to arbitrary files.
Impact Level: System/Application
Solution
No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available.
For updates refer to http://www.yealink.com/Companyprofile.aspx
Insight
- The 'user' account has a password of 'user' (hash = s7C9Cx.rLsWFA), the 'admin' account has a password of 'admin' (hash = uoCbM.VEiKQto), and the 'var' account has a password of 'var' (hash = jhl3iZAe./qXM).
- The '/cgi-bin/cgiServer.exx' script not properly sanitizing user input, specifically encoded path traversal style attacks (e.g. '%2F') supplied via the 'page' parameter.
- Contains a flaw in the /cgi-bin/cgiServer.exx script that is triggered when handling system calls.
- The /cgi-bin/cgiServer.exx script not properly sanitizing user input, specifically absolute paths supplied via the 'command' parameter.
Affected
Yealink VoIP Phone SIP-T38G
Detection
Send a crafted default credential via HTTP GET request and check whether it is able to login or not.
References
Severity
Classification
-
CVE CVE-2013-5755, CVE-2013-5756, CVE-2013-5757, CVE-2013-5758, CVE-2013-5759 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities