Yesterday I took delivery of a Yealink VP-2009 VIOP phone. Â I was hoping it would be a nicer phone than it actually turned out to be. Â I have a Yealink T38G and was really happy with it. Â Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah well, live and learn I guess 😉
To the meat of it. Â When I plugged the new VP-2009 in to my network and attempted to configure it there was a weird caching issue with my browser as it took the same IP address as the old T38G which resulted in an error page being shown. Â Initially I thought the phone by broken in some strange way, so I started to investigate a firmware download for the phone. Â After extracting the firmware using binwalk I found the HTML for the web interface and found that there is a back door that allows arbitrary commands to be executed on the phone. Â The first thing I did was remove the password on the root user (
passwd -d root) so I was able to telnet into the device. Â Once on the device I was able to poke around and see all sorts of interesting stuff.
I was interested to see if there was anything like this back door in the T38G. Â It turns out there is, although it isn’t as easy to use as the one in the VP-2009. Â There is a hidden page that allows the telnet server to be turned on, and the same code can be exploited to remove the root user password 🙂