[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Sangoma SBC local sudo user creation vulnerability without authentication - CVE-2019-12147
From: Security Team Appsecco via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-10-17 13:16:56
Message-ID: DB8PR08MB529217847DA8BA57A72FBF0BD46D0 () DB8PR08MB5292 ! eurprd08 ! prod ! outlook ! com
[Download RAW message or body]
## Introduction
### Description
A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that \
would allow an unauthenticated user to create a privileged user on the system using the web \
application login interface.
### Vulnerability Type
- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)
## Product Overview
A Sangoma SBC protects both your data and voice network and is designed to handle every aspect \
of phone calls that travel over the internet (or voice-over-ip phone calls).
## Background
The Sangoma SBC web application heavily relies on the python script \
`/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the \
user that is supplied on the login screen of the web application.
When a username and password is provided to the application, it is processed by \
`/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from \
`/var/webconfig/api/ShellExec.class.php` to pass the credentials to \
`/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the \
`escapeshellcmd` function to convert any shell characters as literals, however there is no \
verification that the variables passed do not contain strings that can be interpreted as \
additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.
For example, when a username `root` and password `secure` is passed to the application, the \
final command that is created by `Execute` to be run is `/usr/local/sng/bin/sng-user-mgmt \
--action=login --user=ha --encrypted-password=ENCPASS(secure)`
By inspecting the code and help menu of `/usr/local/sng/bin/sng-user-mgmt`, we see that the \
`action` parameter supports other modes which includes `add` that creates a user. The `-o` \
option can be used to make the user have sudo privileges when `--action=add` is used.
Passing additional arguments through the username field results in a new privileged user being \
created on the system.
## Proof of Concept Exploit
1. Pass a username with the value `john --action=add -p StrongPass1 -o`
2. The password field can be set to anything as this will be ignored
3. Click login
4. A local user with sudo privileges called `john` with password `StrongPass1` will be created
5. An attacker can SSH into the machine with these credentials or login via the web console
## Versions Tested
- 2.3.23-119-GA
## Vendor Response
This issue has been responsibly disclosed to the vendor for which a patch has been released in \
version 2.3.24
https://wiki.sangoma.com/display/SBC/SBC+Downloads
## Credits
Appsecco Security Team
http://www.appsecco.com
## Timeline
18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released
## Reference
- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)
Riyaz Walikar
+91 9886042242
<http://www.appsecco.com/>www.appsecco.com<http://www.appsecco.com/>
Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: \
9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. \
This email message is intended for the named recipient only. It may be privileged and/or \
confidential. If you are not the named recipient of this email please notify us immediately and \
do not copy it or use it for any purpose, nor disclose its contents to any other person.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic