module
Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution
| Disclosed | Created |
|---|---|
| 2016-09-01 | 2022-02-09 |
Disclosed
2016-09-01
Created
2022-02-09
Description
This module exploits a command injection vulnerability in Grandstream GXV31XX
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.
A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.
This module was tested successfully on Grandstream models:
GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.
A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.
This module was tested successfully on Grandstream models:
GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
Authors
alhazred
Brendan Scarvell
bcoles bcoles@gmail.com
Brendan Scarvell
bcoles bcoles@gmail.com
Platform
Linux,Unix
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.