Security Advisory: Yeastar N412 and N824 Configuration Panel Account Takeover (CVE-2022-47732)

Swascan Offensive Security Team has identified several vulnerabilities during a Penetration Test on Yeastar PBX Configuration Panel series N.

After contacting the vendor on multiple occasions no official reply has been issues as of 19/10/2022. Swascan has published this responsible vulnerability disclosure well after the 90-day grace period recommended for this activity.

YEASTAR

Yeastar is a Chinese company with a solid technical vendor for PBX Systems and VOIP solutions.

Product description

Yeastar develops and manufactures products and solutions for remote collaborative systems.

Technical summary

Swascan Offensive Security Team found an important vulnerability on: Yeastar N412 and N824 Configuration Panel.

Vulnerability	CVSSv3.1	Attack Vector
Account Takeover via restoring altered backup file	9.8 Critical	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundreds of Internet-connected devices.

Description

In Yeastar N412 and N824 Configuration Panel, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device.

It is possible to launch the attack remotely without any form of authentication.

Proof of Concept

To achieve the account takeover those steps are performed:

Unauthenticated backup file creation
Download the .tar file created
Crack admin hash inside the archive an then log into the device, or modify the .tar archive replacing admin hash
If it was not possible to crack the hash, then we need to upload the new altered backup file
Restore the backup file uploaded
Reboot the device if needed

Following details on exploitation steps:

Requesting creation of backup file with a given name.

Figure 2 – Request unauthenticated to create a new backup file

Figure 3 – Creation backup file response

2. Download the backup file just created.

Figure 4 – Request to download the backup file just created

Figure 5 – Response with the backup file attached

3. Inside the previous response we found the admin hash. Once gained the admin hash we can try to crack it, otherwise, we can modify the archive and upload it to the device.

Figure 6 – Evidence of the hash for the user ‘admin’

Figure 7 – Uploading modified previously backed up file

4. Then we restore the uploaded configuration backup file.

5. If needed, we can trigger a reboot to reload the configuration with the new password.

Figure 9 – Triggering Reboot to reload configuration

Impact

An attacker could obtain access to the remote system, and furthermore enable the ssh console which has a default root password when activated and execute arbitrary commands on the Linux-based system as root user.

Mitigation

The Swascan Offensive Security Team suggests to do not deploy the device directly on the internet, instead set up the device behind a VPN connection.

Disclosure Timeline

04-03-2022: Vulnerabilities discovered
08-03-2022: Vendor contacted by email (1st time, no reply)
14-03-2022: Vendor contacted by email (2nd time, no reply)
23-03-2022: swascan report the issued to CERT/CC
28-06-2022: CERT/CC did not receive any response back from the vendor
07-07-2022: vendor contacted by email
17-10-2022: Swascan disclose the vulnerability
20-01-2023: CVE issued CVE-2022-47732

Sources and references

LockBit 3.0: Decryptor Analysis

Report: DarkWeb Analysis 2022