Aastra IP Telephone hardcoded telnet admin password
---------------------------------------------------

Affected products
=================

  Aastra 6753i IP Telephone
  Firmware Version 3.2.2.56
  Firmware Release Code SIP
  Boot Version 2.5.2.1010

Background
==========

  "The 6753i from Aastra offers powerful features and flexibility in a
   standards based, carrier-grade basic level IP telephone. With a
   sleek and elegant design and 3 line LCD display, the 6753i is fully
   interoperable with leading IP Telephony platforms, offering
   advanced XML capability to access custom applications and support
   for up to 9 calls simultaneously. Part of the Aastra family of IP
   telephones, the 6753i is ideally suited for light to regular
   telephone requirements."

Description
===========

The phone seems to ship with a hardcoded telnet password for the "admin"
user. Since the hashing algorithm is weak anybody can find working
passwords using the "vxworks_mem_search.rb" tool in a few seconds. One
of them is "[M]qozn~". After logging in you get access to a VxWorks
shell but for some reason most commands seem to crash the system. This
might mean that the vulnerability can only be used to cause denial of
service but there is no guarantee.

Timeline
========

2012-04-03 Contacted Aastra and explained the issue
2012-04-25 Contacted Aastra and informed them that details will be
           disclosed in 2013
2013-04-05 Public disclosure