Directory Traversal in Tiptel IP 286 phones

In April, the Offensive Security Team of BDO Cyber Security GmbH analyzed the telephone „IP 286“ from Ergophone / Tiptel for vulnerabilities.

Via a hidden page in the phone’s web configuration interface, a Telnet service can be activated that allows access to the file structure and operating system of the device. Still, access via Telnet is usually password-protected by the manufacturer or has restricted rights to prevent manipulation of the device.

However, a vulnerability has been discovered in the ringtone upload feature that makes it possible to overwrite configuration files on the phone by targeted manipulation of the file name. This also includes those files that prevent or restrict access via Telnet, thereby allowing to gain administrative control of the underlying Linux system.

The vulnerability was reported to the manufacturer. However, as the Tiptel IP 286 and the identical Yealink SIP-T28P have had end-of-life status for several years, no more software updates are provided to fix these security vulnerabilities. The manufacturer recommends switching to a more modern IP telephone instead.

If you are still using a device from this series, it is advisable to review its settings. It must be ensured that Telnet is deactivated and that a sufficiently strong password has been set for the web interface so that an attacker cannot easily gain access to the ringtone upload feature.

The vulnerability is listed in the National Vulnerability Database (NVD) with the following “Common Vulnerabilities and Exposures“ (CVE) ID: CVE-2024-33109.

Would you like to assess the security of your device as part of a hardware penetration test?  Contact us now.