Yesterday I took delivery of a Yealink VP-2009 VIOP phone. I was hoping it would be a nicer phone than it actually turned out to be. I have a Yealink T38G and was really happy with it. Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah well, live and learn I guess 😉
To the meat of it. When I plugged the new VP-2009 in to my network and attempted to configure it there was a weird caching issue with my browser as it took the same IP address as the old T38G which resulted in an error page being shown. Initially I thought the phone by broken in some strange way, so I started to investigate a firmware download for the phone. After extracting the firmware using binwalk I found the HTML for the web interface and found that there is a back door that allows arbitrary commands to be executed on the phone. The first thing I did was remove the password on the root user (
passwd -d root) so I was able to telnet into the device. Once on the device I was able to poke around and see all sorts of interesting stuff.
I was interested to see if there was anything like this back door in the T38G. It turns out there is, although it isn’t as easy to use as the one in the VP-2009. There is a hidden page that allows the telnet server to be turned on, and the same code can be exploited to remove the root user password