[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Grandstream VoIP phone: SSH key backdoor and multiple vulnerabilities leading to RCE as root (David Jorm
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: Re: [FD] Grandstream VoIP phone: SSH key backdoor and multiple vulnerabilities leading to RCE as root (David Jorm
- From: Seamus Caveney <Seamus@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 11 Jul 2015 01:18:51 +0000
There is another similar issue affecting GXP color phones (GXP2130, 2140, 2160)
reported to Grandstream that was fixed in 1.0.4.22. From the main shell there
is a bluetooth test mode you can enter by typing 'bttest'. From inside this
subshell there is no shell sanitization and you can escape using normal
techniques.
Grandstream GXP2130 Command Shell Copyright 2014
GXP2130> bttest
BTTEST> ;id
uid=0(root) gid=0(root) groups=0(root)
Another issue that was resolved in that release affects other units including
their older phones and analog gateways (GXP1xxx, GXP2100, GXW4xxx, NOT DP715,
HT5xx and other devices using the older non-AJAX web interface) where the
device configuration could be retrieved without authentication by requesting
/cgi-bin/dumpsettings (including the admin password).
A final issue I've reported to them in the past that's not resolved is the SSH
host key being shared across all phones of the same firmware version.
The authenticity of host '10.150.117.57 (10.150.117.57)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.
The authenticity of host '10.150.117.65 (10.150.117.65)' can't be established.
RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b1:28:b9:f9.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/