Conversation
Notices
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:33 JST 
Ryan Castellucci :nonbinary_flag:
-
Embed this notice
morb (morb@mastodon.social)'s status on Tuesday, 03-Sep-2024 07:59:34 JST 
morb
@xabean don't have one on hand; just the latest firmware I could find for a rebranded Yealink that had the same shadow file -- will dig for that tho
PasswdCopy.sh looks like it uses an unsafe subshell fwiw
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:34 JST 
Richard "mtfnpy" Harman (he/him)
always fun when running strings on a piece of firmware and you find:
user:s7C9Cx.rLsWFA
var:jhl3iZAe./qXM
admin:uoCbM.VEiKQto -
Embed this notice
morb (morb@mastodon.social)'s status on Tuesday, 03-Sep-2024 07:59:35 JST
morb
extracted latest fw for TIP200 (60.61.75.22) and...
[Yealink Busybox Ver 1.0.0.1]
BusyBox v1.10.3 (2013-08-06 13:53:41 CST) multi-call binary
Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko>_<
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:35 JST
Richard "mtfnpy" Harman (he/him)
@morb @tychotithonus my head was in the same place - the "diagnosis" page that apparently had straight up shell injection isn't in the firmware I'm running on this phone, and now I'm digging into some of the MACADDRESS.cfg provisioning files and related XML translation on the phone checking what gets (ab)used by grep into shell variables, etc.
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:35 JST
Richard "mtfnpy" Harman (he/him)
@morb Oh neat, does this URL work on your phone? /servlet?p=hidden
-
Embed this notice
morb (morb@mastodon.social)'s status on Tuesday, 03-Sep-2024 07:59:36 JST
morb
@xabean @tychotithonus fwiw the Intelbras TIP 200 series shares the same shadow entries; dead end finding any working creds attributed though
https://github.com/Ls4ss/CVE-2020-13886/blob/master/README.md
-
Embed this notice
morb (morb@mastodon.social)'s status on Tuesday, 03-Sep-2024 07:59:36 JST
morb
@xabean @tychotithonus running jtr against it and rockyou2024 right now for yucks
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:36 JST
Richard "mtfnpy" Harman (he/him)
@morb @tychotithonus mmm whelp I bumped up the logging level through config, and I see when I try to telnet in with root/toor/admin/yealink any username all results in:
login[480]: invalid password for 'UNKNOWN' on 'pts/0'
-
Embed this notice
morb (morb@mastodon.social)'s status on Tuesday, 03-Sep-2024 07:59:36 JST
morb
@xabean @tychotithonus have you tried shell injection in any of the provisioning file fields yet
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:37 JST
Richard "mtfnpy" Harman (he/him)
@tychotithonus cool, thank you. I appreciate it, this is an area I'm not well versed in :)
-
Embed this notice
Royce Williams (tychotithonus@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:37 JST 
Royce Williams
@xabean What's in the other /etc/shadow?
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:37 JST
Richard "mtfnpy" Harman (he/him)
@tychotithonus dunno what is in the /yealink/config filesystem yet. Haven't found a way into the device yet. I *did* manage to figure out how to enable telnet, through config it fetches via provisioning.
-
Embed this notice
Royce Williams (tychotithonus@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:38 JST
Royce Williams
@xabean Depending on sensitivity, Hashes.com has a bounty / escrow system (free). Or you could upload it as a 'user list' to HashMob. Or you could let me take a ... crack at it (2x 4090s). :D
Edit: a third option, if you know hashcat and Docker, is to just rent a chunk of GPUs through vast.ai or similar.
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:38 JST
Richard "mtfnpy" Harman (he/him)
@tychotithonus if you want to poke at it, here you go -- this is for a Yealink SIP phone. Strings in the firmware nearby suggest the password is YealinkPhone1106 but it doesn't seem to work on my hardware; which might be due to the fact that there's a config partition that overlay mounts a shadow file overtop of /etc/shadow from the ROM:
root:$1$.jKlhz0B$/Nmgj0klrsZk0nYc1BLUR/:11876:0:99999:7:::
-
Embed this notice
Royce Williams (tychotithonus@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:38 JST
Royce Williams
@xabean No immediate hits - permuted case and leet for both 'Yealink' and 'YealinkPhone', and appended and prepended all sorts of stuff (all possible 4-char suffixes, etc.) ... nothing so far
-
Embed this notice
Richard "mtfnpy" Harman (he/him) (xabean@infosec.exchange)'s status on Tuesday, 03-Sep-2024 07:59:39 JST
Richard "mtfnpy" Harman (he/him)
Is there a cloud "throw money at the problem" service that cracks md5crypt passwords with GPUs?
-
Embed this notice
All GNU social JP content and data are available under the