lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Jul 2015 01:18:51 +0000
From: Seamus Caveney <Seamus@...ivesolutionsmi.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Grandstream VoIP phone: SSH key backdoor and multiple
 vulnerabilities leading to RCE as root (David Jorm

There is another similar issue affecting GXP color phones (GXP2130, 2140, 2160) reported to Grandstream that was fixed in 1.0.4.22. From the main shell there is a bluetooth test mode you can enter by typing 'bttest'. From inside this subshell there is no shell sanitization and you can escape using normal techniques.

Grandstream GXP2130 Command Shell Copyright 2014
GXP2130> bttest
BTTEST> ;id
uid=0(root) gid=0(root) groups=0(root)

Another issue that was resolved in that release affects other units including their older phones and analog gateways (GXP1xxx, GXP2100, GXW4xxx, NOT DP715, HT5xx and other devices using the older non-AJAX web interface) where the device configuration could be retrieved without authentication by requesting /cgi-bin/dumpsettings (including the admin password). 


A final issue I've reported to them in the past that's not resolved is the SSH host key being shared across all phones of the same firmware version. 

The authenticity of host '10.150.117.57 (10.150.117.57)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.

The authenticity of host '10.150.117.65 (10.150.117.65)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists