Aastra IP Telephone hardcoded telnet admin password

Affected products

Aastra 6753i IP Telephone
Firmware Version 3.2.2.56
Firmware Release Code SIP
Boot Version 2.5.2.1010

Background

"The 6753i from Aastra offers powerful features and flexibility in a
standards based, carrier-grade basic level IP telephone. With a
sleek and elegant design and 3 line LCD display, the 6753i is fully
interoperable with leading IP Telephony platforms, offering
advanced XML capability to access custom applications and support
for up to 9 calls simultaneously. Part of the Aastra family of IP
telephones, the 6753i is ideally suited for light to regular
telephone requirements."

Description

The phone seems to ship with a hardcoded telnet password for the "admin"
user. Since the hashing algorithm is weak anybody can find working
passwords using the "vxworks_mem_search.rb" tool in a few seconds. One
of them is "[M]qozn~". After logging in you get access to a VxWorks
shell but for some reason most commands seem to crash the system. This
might mean that the vulnerability can only be used to cause denial of
service but there is no guarantee.

Timeline

2012-04-03 Contacted Aastra and explained the issue
2012-04-25 Contacted Aastra and informed them that details will be
disclosed in 2013
2013-04-05 Public disclosure