what you don't know can hurt you

Yealink VoIP Phones XSS / CRLF Injection

Yealink VoIP Phones XSS / CRLF Injection
Posted Jun 13, 2014
Authored by Jesus Oquendo

Yealink VoIP Phones suffer from CRLF injection and cross site scripting vulnerabilities. This affects firmware version 28.72.0.2 and hardware version 28.2.0.128.0.0.0.

tags | exploit, vulnerability, xss
advisories | CVE-2014-3427, CVE-2014-3428
MD5 | 09141b7f8a49b112dd8051a6052056c2

Yealink VoIP Phones XSS / CRLF Injection

Change Mirror Download

I. ADVISORY

CVE-2014-3427 CRLF Injection in Yealink VoIP Phones
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones

Date published: 06/12/2014
Vendor Contacted: 05/08/2014


II. BACKGROUND

Yealink is a manufacturer of VoIP and Video products. To
minimize noise read more at:

http://www.yealink.com/Companyprofile.aspx


III. DESCRIPTION

There are CRLF Injection and XSS vulnerabilities in Yealink
VoIP telephones. Validated on

Firmware Version 28.72.0.2
Hardware Version 28.2.0.128.0.0.0

CRLF Injection (Header Splitting) proof of concept:

Request
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1

In the above request, attackers can shove in code, webpages,
etc. In my tests, I have used javascript, redirects, and even
an entire web page shoved into the CRLF vulnerable inputs.


-----


The XSS vulnerability

GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1

Typical Cross Site Scripting.


IV. SOLUTION

Minimize accessibility to the phone's interface.


V. VENDOR CONTACT AND RESPONSE

05/08/2014 E-mailed security@yealink.com (bounced)
05/08/2014 Created an account on Yealink's forum and
sent message (no response for weeks)
05/26/2014 Response via e-mail from Yealink
05/26/2014 Replied to vendor I would disclose in June
06/01/2014 Reached back out to vendor for update
06/08/2014 Reached back out to vendor for update
06/11/2014 Rouched out one last time... Crickets
06/12/2014 Advisory


VI. TOOLS USED

Burpsuite, WVS, Firefox



--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close