Security Advisory: Yeastar N412 and N824 Configuration Panel Account Takeover

Swascan Offensive Security Team has identified several vulnerabilities during a Penetration Test on Yeastar PBX Configuration Panel series N.

After contacting the vendor on multiple occasions no official reply has been issues as of 19/10/2022. Swascan has published this responsible vulnerability disclosure well after the 90-day grace period recommended for this activity.

YEASTAR

Yeastar is a Chinese company with a solid technical vendor for PBX Systems and VOIP solutions.

Product description

Yeastar develops and manufactures products and solutions for remote collaborative systems.

Figure 1 – Yeastar N824

Technical summary

Swascan Offensive Security Team found an important vulnerability on: Yeastar  N412 and N824 Configuration Panel.

VulnerabilityCVSSv3.1Attack Vector
Account Takeover via restoring altered backup file9.8 CriticalAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundreds of Internet-connected devices.

Description

In Yeastar  N412 and N824 Configuration Panel, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device.

It is possible to launch the attack remotely without any form of authentication.

Proof of Concept

 To achieve the account takeover those steps are performed:

  1. Unauthenticated backup file creation
  2. Download the .tar file created
  3. Crack admin hash inside the archive an then log into the device, or modify the .tar archive replacing admin hash
  4. If it was not possible to crack the hash, then we need to upload the new altered backup file
  5. Restore the backup file uploaded
  6. Reboot the device if needed

Following details on exploitation steps:

  1. Requesting creation of backup file with a given name.
Figure 2 – Request unauthenticated to create a new backup file
Figure 3 – Creation backup file response

2. Download the backup file just created.

Figure 4 – Request to download the backup file just created
Figure 5 – Response with the backup file attached

3. Inside the previous response we found the admin hash. Once gained the admin hash we can try to crack it, otherwise, we can modify the archive and upload it to the device.

Figure 6 – Evidence of the hash for the user ‘admin’
Figure 7 – Uploading modified previously backed up file

4. Then we restore the uploaded configuration backup file.

Figure 8 – Restoring backup

5. If needed, we can trigger a reboot to reload the configuration with the new password.

Figure 9 –  Triggering Reboot to reload configuration

Impact

An attacker could obtain access to the remote system, and furthermore enable the ssh console which has a default root password when activated and execute arbitrary commands on the Linux-based system as root user.

Mitigation

The Swascan Offensive Security Team suggests to do not deploy the device directly on the internet, instead set up the device behind a VPN connection.

Disclosure Timeline

  • 04-03-2022: Vulnerabilities discovered
  • 08-03-2022: Vendor contacted by email (1st time, no reply)
  • 14-03-2022: Vendor contacted by email (2nd time, no reply)
  • 23-03-2022: swascan report the issued to CERT/CC
  • 28-06-2022: CERT/CC did not receive any response back from the vendor
  • 07-07-2022: vendor contacted by email
  • 17-10-2022: Swascan disclose the vulnerability

Sources and references

LockBit 3.0: Decryptor Analysis
Report: DarkWeb Analysis 2022

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.