{"id":217,"date":"2013-07-18T17:41:55","date_gmt":"2013-07-19T01:41:55","guid":{"rendered":"http:\/\/blog.danielparnell.com\/?p=217"},"modified":"2014-06-21T15:21:41","modified_gmt":"2014-06-21T23:21:41","slug":"yealink-voip-phone-back-doors","status":"publish","type":"post","link":"https:\/\/blog.danielparnell.com\/?p=217","title":{"rendered":"Yealink VOIP phone back doors"},"content":{"rendered":"<p><a href=\"http:\/\/blog.danielparnell.com\/wp-content\/uploads\/2013\/07\/vp2009.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-218\" src=\"http:\/\/blog.danielparnell.com\/wp-content\/uploads\/2013\/07\/vp2009.jpg\" alt=\"vp2009\" width=\"500\" height=\"334\" \/><\/a><\/p>\n<p>Yesterday I took delivery of a Yealink VP-2009 VIOP phone. \u00c2\u00a0I was hoping it would be a nicer phone than it actually turned out to be. \u00c2\u00a0I have a <a href=\"http:\/\/www.yealink.com\/product_info.aspx?parentcateid=147&amp;ProductsCateID=182&amp;cateid=182&amp;ProductsID=31\">Yealink T38G<\/a> and was really happy with it. \u00c2\u00a0Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah well, live and learn I guess \ud83d\ude09<\/p>\n<p>To the meat of it. \u00c2\u00a0When I plugged the new VP-2009 in to my network and attempted to configure it there was a weird caching issue with my browser as it took the same IP address as the old T38G which resulted in an error page being shown. \u00c2\u00a0Initially I thought the phone by broken in some strange way, so I started to investigate a firmware download for the phone. \u00c2\u00a0After extracting the firmware using <a href=\"https:\/\/code.google.com\/p\/binwalk\/\">binwalk<\/a> I found the HTML for the web interface and found that there is a back door that allows arbitrary commands to be executed on the phone. \u00c2\u00a0The first thing I did was remove the password on the root user (<code>passwd -d root<\/code>) so I was able to telnet into the device. \u00c2\u00a0Once on the device I was able to poke around and see all sorts of interesting stuff.<\/p>\n<p>I was interested to see if there was anything like this back door in the T38G. \u00c2\u00a0It turns out there is, although it isn&#8217;t as easy to use as the one in the VP-2009. \u00c2\u00a0There is a hidden page that allows the telnet server to be turned on, and the same code can be exploited to remove the root user password \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday I took delivery of a Yealink VP-2009 VIOP phone. \u00c2\u00a0I was hoping it would be a nicer phone than it actually turned out to be. \u00c2\u00a0I have a Yealink T38G and was really happy with it. \u00c2\u00a0Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.danielparnell.com\/?p=217\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Yealink VOIP phone back doors&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[35,41,43],"tags":[59,58,57],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-hardware","category-reverse-engeneering","category-voip","tag-hack","tag-voip-2","tag-yealink","entry"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p561S3-3v","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=217"}],"version-history":[{"count":2,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":270,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=\/wp\/v2\/posts\/217\/revisions\/270"}],"wp:attachment":[{"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.danielparnell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}