| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Apr 2013 15:51:20 +0300
From: Timo Juhani Lindfors <timo.lindfors@....fi>
To: bugtraq@...urityfocus.com
Subject: Aastra IP Telephone hardcoded telnet admin password
Aastra IP Telephone hardcoded telnet admin password
---------------------------------------------------
Affected products
=================
Aastra 6753i IP Telephone
Firmware Version 3.2.2.56
Firmware Release Code SIP
Boot Version 2.5.2.1010
Background
==========
"The 6753i from Aastra offers powerful features and flexibility in a
standards based, carrier-grade basic level IP telephone. With a
sleek and elegant design and 3 line LCD display, the 6753i is fully
interoperable with leading IP Telephony platforms, offering
advanced XML capability to access custom applications and support
for up to 9 calls simultaneously. Part of the Aastra family of IP
telephones, the 6753i is ideally suited for light to regular
telephone requirements."
Description
===========
The phone seems to ship with a hardcoded telnet password for the "admin"
user. Since the hashing algorithm is weak anybody can find working
passwords using the "vxworks_mem_search.rb" tool in a few seconds. One
of them is "[M]qozn~". After logging in you get access to a VxWorks
shell but for some reason most commands seem to crash the system. This
might mean that the vulnerability can only be used to cause denial of
service but there is no guarantee.
Timeline
========
2012-04-03 Contacted Aastra and explained the issue
2012-04-25 Contacted Aastra and informed them that details will be
disclosed in 2013
2013-04-05 Public disclosure
Powered by blists - more mailing lists