This article describes the identification and exploitation of two authenticated remote code execution vulnerabilities that we found during a time-bounded security assessment of the Grandstream’s HT801 Analog Telephone Adapter. Both vulnerabilities are exploitable via the limited configuration shell which is accessible over SSH/Telnet. These and other less critical findings were addressed by Grandstream with the release of the firmware version 220.127.116.11.
CVE-2021-37915: Authenticated Remote Code Execution via debugging functionality during the startup of the device
CVE-2021-37748: Authenticated stack based buffer overflow in the "manage_if" configuration parameter handling
Device details can be found here.
To follow the article please get a copy of a firmware file here. The firmware blob is encrypted, however, due to the great work done by BigNerd95 we can easily extract it. The static AES key used for encryption, is being reused across the line of devices.
We are working inside an Ubuntu 20.04.2 LTS vm: