[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aastra IP Telephone hardcoded telnet admin password

Aastra IP Telephone hardcoded telnet admin password

Affected products

  Aastra 6753i IP Telephone
  Firmware Version
  Firmware Release Code SIP
  Boot Version


  "The 6753i from Aastra offers powerful features and flexibility in a
   standards based, carrier-grade basic level IP telephone. With a
   sleek and elegant design and 3 line LCD display, the 6753i is fully
   interoperable with leading IP Telephony platforms, offering
   advanced XML capability to access custom applications and support
   for up to 9 calls simultaneously. Part of the Aastra family of IP
   telephones, the 6753i is ideally suited for light to regular
   telephone requirements."


The phone seems to ship with a hardcoded telnet password for the "admin"
user. Since the hashing algorithm is weak anybody can find working
passwords using the "vxworks_mem_search.rb" tool in a few seconds. One
of them is "[M]qozn~". After logging in you get access to a VxWorks
shell but for some reason most commands seem to crash the system. This
might mean that the vulnerability can only be used to cause denial of
service but there is no guarantee.


2012-04-03 Contacted Aastra and explained the issue
2012-04-25 Contacted Aastra and informed them that details will be
           disclosed in 2013
2013-04-05 Public disclosure