Exploiting Yealink IP phones on current firmware with two 0-day exploits.

Date: 2019-07-29

Author: Seyton Hayes

Company: Cerebus Forensics

Overview

Cerebus forensics was conducting testing of the Yealink range of IP phones when multiple vulnerabilities were discovered on these devices. Through these exploits Cerebus was able to gain root access to the phones and then leveraged that access to allow remote access to the victim’s network.

Multiple exploits were discovered during the testing however two of these exploits CEB1001 and CEB1002 worked together to escalate a default low privileged user to root and then use that root access to connect to a remote command and control server and allow natting back to victim’s network.