Exploiting Yealink IP phones on current firmware with two 0-day exploits.

Date: 2019-07-29

Author: Seyton Hayes

Company: Cerebus Forensics

Overview

Cerebus forensics was conducting testing of the Yealink range of IP phones when multiple vulnerabilities were discovered on these devices. Through these exploits Cerebus was able to gain root access to the phones and then leveraged that access to allow remote access to the victim’s network.

Multiple exploits were discovered during the testing however two of these exploits CEB1001 and CEB1002 worked together to escalate a default low privileged user to root and then use that root access to connect to a remote command and control server and allow natting back to victim’s network.

Conclusion

Currently all the Yealink phones that we have tested are vulnerable to this exploit and due to these being 0-days and are in the process of full disclosure process the exploit will still be un-patch for the foreseeable future.

Even when the patch is released not many companies run patch management on their phones and thus could be vulnerable for years to come.