CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones

I.      ADVISORY

CVE-2014-3427 CRLF Injection in Yealink VoIP Phones
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones

Date published: 06/12/2014
Vendor Contacted: 05/08/2014


II.     BACKGROUND

Yealink is a manufacturer of VoIP and Video products. To
minimize noise read more at:

http://www.yealink.com/Companyprofile.aspx



III.    DESCRIPTION

There are CRLF Injection and XSS vulnerabilities in Yealink
VoIP telephones. Validated on

Firmware Version        28.72.0.2
Hardware Version        28.2.0.128.0.0.0

CRLF Injection (Header Splitting) proof of concept:

Request
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1

In the above request, attackers can shove in code, webpages,
etc. In my tests, I have used javascript, redirects, and even
an entire web page shoved into the CRLF vulnerable inputs.


-----


The XSS vulnerability

GET /servlet?jumpto=dsskey&model=%
22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1

Typical Cross Site Scripting.


IV.     SOLUTION

Minimize accessibility to the phone's interface.


V.      VENDOR CONTACT AND RESPONSE

05/08/2014      E-mailed security@yealink.com (bounced)
05/08/2014      Created an account on Yealink's forum and
                sent message (no response for weeks)
05/26/2014      Response via e-mail from Yealink
05/26/2014      Replied to vendor I would disclose in June
06/01/2014      Reached back out to vendor for update
06/08/2014      Reached back out to vendor for update
06/11/2014      Rouched out one last time... Crickets
06/12/2014      Advisory


VI.     TOOLS USED

Burpsuite, WVS, Firefox