This host is running Yealink VoIP Phone and is prone to multiple vulnerabilities.

Successful exploitation will allow remote attackers to trivially gain privileged access to the device, execute arbitrary commands and gain access to arbitrary files. Impact Level: System/Application

No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://www.yealink.com/Companyprofile.aspx

- The 'user' account has a password of 'user' (hash = s7C9Cx.rLsWFA), the 'admin' account has a password of 'admin' (hash = uoCbM.VEiKQto), and the 'var' account has a password of 'var' (hash = jhl3iZAe./qXM). - The '/cgi-bin/cgiServer.exx' script not properly sanitizing user input, specifically encoded path traversal style attacks (e.g. '%2F') supplied via the 'page' parameter. - Contains a flaw in the /cgi-bin/cgiServer.exx script that is triggered when handling system calls. - The /cgi-bin/cgiServer.exx script not properly sanitizing user input, specifically absolute paths supplied via the 'command' parameter.

Yealink VoIP Phone SIP-T38G

Send a crafted default credential via HTTP GET request and check whether it is able to login or not.

• http://www.exploit-db.com/exploits/33739
• http://www.exploit-db.com/exploits/33740
• http://www.exploit-db.com/exploits/33741
• http://www.exploit-db.com/exploits/33742
• http://www.osvdb.com/108078
• http://www.osvdb.com/108079
• http://www.osvdb.com/108080
• http://www.osvdb.com/108081

---

Updated on 2015-03-25