[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BY2PR04MB0291F115181B353FEC6A5B4CB9E0@BY2PR04MB029.namprd04.prod.outlook.com>
Date: Sat, 11 Jul 2015 01:18:51 +0000
From: Seamus Caveney <Seamus@...ivesolutionsmi.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Grandstream VoIP phone: SSH key backdoor and multiple
vulnerabilities leading to RCE as root (David Jorm
There is another similar issue affecting GXP color phones (GXP2130, 2140, 2160) reported to Grandstream that was fixed in 1.0.4.22. From the main shell there is a bluetooth test mode you can enter by typing 'bttest'. From inside this subshell there is no shell sanitization and you can escape using normal techniques.
Grandstream GXP2130 Command Shell Copyright 2014
GXP2130> bttest
BTTEST> ;id
uid=0(root) gid=0(root) groups=0(root)
Another issue that was resolved in that release affects other units including their older phones and analog gateways (GXP1xxx, GXP2100, GXW4xxx, NOT DP715, HT5xx and other devices using the older non-AJAX web interface) where the device configuration could be retrieved without authentication by requesting /cgi-bin/dumpsettings (including the admin password).
A final issue I've reported to them in the past that's not resolved is the SSH host key being shared across all phones of the same firmware version.
The authenticity of host '10.150.117.57 (10.150.117.57)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.
The authenticity of host '10.150.117.65 (10.150.117.65)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists