SS28S Debug Console Hard-coded Credentials

• Vulnerability

• • VxWorks debug console open via Telnet
  • VxWorks credentials hard-coded to user “1” and pass “1”
  • As of firmware 01_02_07 (current as of 10/24/06)

• Public Disclosure: 09/22/06

• • http://www.osnews.com/story.php/15923/Review-FiWin-SS28S-WiFi-VoIP-SIPSkype-Phone/
  • BID: 20154

• Attack

• • Telnet to the phone on port 23
  • Authenticate with username “1”, password “1”

• Effects

• • Device configuration disclosure
  • Authentication credentials disclosure
  • DoS via memory corruption, disk format/corruption