Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-20 Thread state 
Selon phioust [EMAIL PROTECTED]:

 On 10/20/07, lulzlulzluzluz [EMAIL PROTECTED] wrote:
 
  security is serious business. plz do not joke like that phioust:
  xss0day - x-ssh0day, see serious.


  Only drraid has ssh 0day


 On 10/19/07, Radu State  [EMAIL PROTECTED] wrote:
  
 my $hex = '';
   
  for (my $i = 0; $i  length($_[0]); $i++) {
   
   LOL 3 phds and not one knows the range operator?
 for(0..length($_[0]))


Yeap, Ph.d use Eiffel and Lisp.  Only when we want to be understood by a larger
community, we go to Perl and reach down.



  $attackerUser = $ARGV[3];
   
$callUser = $ARGV[0];
   
$targetIP = $ARGV[1];
   
$targetPort = $ARGV[2];
   
$attackerIP= $ARGV[4];
   
$attackerPort= $ARGV[5];
   
have you never heard of shift? or what about split @ARGV based on
 spaces ... l0l perl retards

Thnaks for sharing experience


  Did you only write this in perl because C is too complicated for you?


Do you write your comments, only because writing real interesting things is to
complicated for you ? (BTW, the word too in your post  has another meaning
that what you wanted to say, which is normally written to )


 you better hope perl underground does see this bullshit perl!!!



And what ? I am not a perl coder and never claimed to be one :)




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-20 Thread phioust 
On 10/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 Yeap, Ph.d use Eiffel and Lisp.  Only when we want to be understood by a
 larger
 community, we go to Perl and reach down.


   Please dont reach down to us next time because your perl makes us cry.
   Also do you hack up iterative loops in lisp too or do you know how to use
a macro?


Do you write your comments, only because writing real interesting things is
 to
 complicated for you ? (BTW, the word too in your post  has another
 meaning
 that what you wanted to say, which is normally written to )


 And what do you consider interesting? Xss or the code that exploits it or
both? personally i find this milw0rm style code not very interesting and a
waste of a  message to this list. Based on the people that send me off list
emails they agree. Next time you have xss to disclose try bugtraq, but im
sure you whored that list already also.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-20 Thread Gadi Evron 


-- 
Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-20 Thread Valdis . Kletnieks 
On Sat, 20 Oct 2007 12:27:40 CDT, phioust said:

Also do you hack up iterative loops in lisp too or do you know how to use
 a macro?

Iterative loops.  Lisp.  You slay me.


pgpZx9ukpq8qM.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-19 Thread Radu State 
In a previous post (http://seclists.org/fulldisclosure/2007/Oct/0174.html) ,
we have seen how XSS injection can be performed over SIP to inject malicious
JavaScript into the browser of an user that check  the call history of his
phone.  In this post, we will detail how XSS injection can be performed over
SIP by an additional SQL injection.

 

Some SIP proxies store information gathered from SIP headers into databses
used  for billing and accounting purposes. This is also the case for the
vulnerability disclosed In the following.  If this information is not
properly filtered, once it will be displayed to the administrator it can
perform a second order SQL Injection, that is : during the display, it gets
interpreted as SQL by the application.  In this case, two things can result:
First, the database can be changed (for instance the call length can be
changed to a small value and thus the caller can do toll fraud. Sometimes,
if the target system is not well secured, SQL injection can lead to system
compromise because most database server allow some interaction with the
target OS.

 

However, the additional feature is that XSS can also result, because
JavaScript can be stored into the database with the SQL injection  and
executed on the browser when the admin will check it (this is a kind of log
Injection process). As was pointed out in my previous posting, XSS can be
used with tools like Beef and XSS proxy to scan the internal network,
deactivate firewalls, basically all the dangers of CSRF/XSRF are not a
reality. The main issue is that most applications that deal with CDR data
are not considering this type of threat.

 

Title : SQL injection in asterisk-addons and XSS injection in WWW
application in Areski, FreePBX and Trixbox

 

Id: KIPH 12



Credits 

Humberto Abdelnur (Ph.D student) the Madynes group at INRIA 

Radu State (Ph.D), the Madynes group at INRIA 

Olivier Festor (Ph.D), the Madynes group at INRIA 

 

   

Software version for which vendors were notified: 

 

Asterisk-addon (SQL injection)

Areski v 2.0.1 and earlier (XSS injection)

FreePBX (2.3.00 and earlier) XSS injection

Tribox v.2.3.1 and earlier (XSS injection) 

  

 Severity:  High, XSS and  SQL injection can lead to the compromise of an
internal network


Overview:



Asterisk as itself does not support billing reports but provide libraries,
asterisk-addon, which may allow a third entity to compute them. Specifically
the functions exported by cdr_addon_mysql.c allows to log the Call Detail
Records  (CDR) in the MySQL database. 

Areski, FreePBX and Trixbox use the information stored in such database in
order to manage, compute generate billing reports or  display  the load of
the PBX.

Vulnerability Synopsis:

Certain functions in cdr_addon_mysql.c do not properly escaped input
characters from fields of incoming calls before to stored them in the
database. This issue will allow, to a malicious user,  two main attacks:

1.   Inject SQL statements which will obfuscate the quantity of minute
made for the billing
2.   Inject through the SQL statement values which will be recognized as
a Java script when a WWW management application for CDR run. 

The attack may be performed by an unsubscribed user in the domain (if
anonymous calls are allowed). 
This attacker may inject negative number in the CDR table in order to
decrease the minutes of calling. Also, the attacker may inject Java Script
tags to be executed by the administrator PC when she/he enter to the CDR
website. 

Note that in order to perform the Cross Script injection, the SQL injection
technique is necessary due that special characters as  are to be filtered
by asterisk, while with the SQL injection they can be rewritten as 0x60
(Hexadecimal representation) which wont be filtered. 

Impact:

Information from the database can be manipulated for malicious used. 

Execution of malicious scripts may be executed in the administrator machine.

Proof of Concept:


The script will create an entry with duration values -9 and
scriptalert(1)/script that will be show when the administrator check the
website.

Command: asterisk_cdr_sqlinjection.pl callUser targetIP targetPort
attackerUser localIP localPort 

-- 

#!/usr/bin/perl

 

#

# Vulnerabily discovered using KiF ~ Kiph   #

#   #

# Authors:  #

# Humberto J. Abdelnur (Ph.D Student) #

# Radu State (Ph.D)   #

# Olivier Festor (Ph.D)   #

#   #

# Madynes Team, LORIA - INRIA Lorraine  #

# http://madynes.loria.fr   #

#

 

use IO::Socket::INET;

use String::Random;

$foo = new String::Random;

 

die Usage $0 callUser targetIP targetPort attackerUser localIP
localPort unless ($ARGV[5]);

 

sub

Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-19 Thread phioust 
LOL XSS

PDP ALERT !!! THEY ARE STEALING YOUR RESEARCH!

On 10/19/07, Radu State [EMAIL PROTECTED] wrote:

  In a previous post (http://seclists.org/fulldisclosure/2007/Oct/0174.html)
 ,  we have seen how XSS injection can be performed over SIP to inject
 malicious JavaScript into the browser of an user that check  the call
 history of his phone.  In this post, we will detail how XSS injection can be
 performed over SIP by an additional SQL injection.



 Some SIP proxies store information gathered from SIP headers into databses
 used  for billing and accounting purposes. This is also the case for the
 vulnerability disclosed In the following.  If this information is not
 properly filtered, once it will be displayed to the administrator it can
 perform a second order SQL Injection, that is : during the display, it gets
 interpreted as SQL by the application.  In this case, two things can result:
 First, the database can be changed (for instance the call length can be
 changed to a small value and thus the caller can do toll fraud. Sometimes,
 if the target system is not well secured, SQL injection can lead to system
 compromise because most database server allow some interaction with the
 target OS.



 However, the additional feature is that XSS can also result, because
 JavaScript can be stored into the database with the SQL injection  and
 executed on the browser when the admin will check it (this is a kind of log
 Injection process). As was pointed out in my previous posting, XSS can be
 used with tools like Beef and XSS proxy to scan the internal network,
 deactivate firewalls, basically all the dangers of CSRF/XSRF are not a
 reality. The main issue is that most applications that deal with CDR data
 are not considering this type of threat.

 * *

 *Title :* SQL injection in asterisk-addons and XSS injection in WWW
 application in Areski, FreePBX and Trixbox



 Id: KIPH 12*

 *

 *Credits *

 *Humberto Abdelnur (Ph.D student) the Madynes group at INRIA *

 *Radu** State** (Ph.D), the Madynes group at INRIA *

 *Olivier Festor (Ph.D), the Madynes group at INRIA *

 * *



 *Software version for which vendors were notified:*



 Asterisk-addon (SQL injection)

 Areski v 2.0.1 and earlier (XSS injection)

 FreePBX (2.3.00 and earlier) XSS injection

 Tribox v.2.3.1 and earlier (XSS injection)



  *Severity:*  High, XSS and  SQL injection can lead to the compromise of
 an internal network


 *Overview:

 *

 Asterisk as itself does not support billing reports but provide libraries,
 asterisk-addon, which may allow a third entity to compute them. Specifically
 the functions exported by cdr_addon_mysql.c allows to log the Call Detail
 Records  (CDR) in the MySQL database.

 Areski, FreePBX and Trixbox use the information stored in such database in
 order to manage, compute generate billing reports or  display  the load of
 the PBX.

 *Vulnerability Synopsis:*

 Certain functions in cdr_addon_mysql.c do not properly escaped input
 characters from fields of incoming calls before to stored them in the
 database. This issue will allow, to a malicious user,  two main attacks:

1.  Inject SQL statements which will obfuscate the quantity of
minute made for the billing
2.  Inject through the SQL statement values which will be recognized
as a Java script when a WWW management application for CDR run.

 The attack may be performed by an unsubscribed user in the domain (if
 anonymous calls are allowed).
 This attacker may inject negative number in the CDR table in order to
 decrease the minutes of calling. Also, the attacker may inject Java Script
 tags to be executed by the administrator PC when she/he enter to the CDR
 website.

 Note that in order to perform the Cross Script injection, the SQL
 injection technique is necessary due that special characters as  are to
 be filtered by asterisk, while with the SQL injection they can be rewritten
 as 0x60 (Hexadecimal representation) which wont be filtered.

 *Impact:*

 Information from the database can be manipulated for malicious used.

 Execution of malicious scripts may be executed in the administrator
 machine.

 *Proof of Concept:*


 The script will create an entry with duration values -9 and
 scriptalert(1)/script that will be show when the administrator check the
 website.

 *Command**: *asterisk_cdr_sqlinjection.pl callUser targetIP
 targetPort attackerUser localIP localPort

 --

 #!/usr/bin/perl



 #

 # Vulnerabily discovered using KiF ~ Kiph   #

 #   #

 # Authors:  #

 # Humberto J. Abdelnur (Ph.D Student) #

 # Radu State (Ph.D)   #

 # Olivier Festor (Ph.D)   #

 #   #

 # Madynes Team, LORIA - INRIA Lorraine  #

 # http://madynes.loria.fr   #

Re: [Full-disclosure] XSS and SQL injection via SIP (part 2) and toll fraud bonus

2007-10-19 Thread phioust 
On 10/20/07, lulzlulzluzluz [EMAIL PROTECTED] wrote:

 security is serious business. plz do not joke like that phioust:
 xss0day - x-ssh0day, see serious.


 Only drraid has ssh 0day


On 10/19/07, Radu State  [EMAIL PROTECTED] wrote:
 
my $hex = '';
  
 for (my $i = 0; $i  length($_[0]); $i++) {
  
  LOL 3 phds and not one knows the range operator?
for(0..length($_[0]))


 $attackerUser = $ARGV[3];
  
   $callUser = $ARGV[0];
  
   $targetIP = $ARGV[1];
  
   $targetPort = $ARGV[2];
  
   $attackerIP= $ARGV[4];
  
   $attackerPort= $ARGV[5];
  
   have you never heard of shift? or what about split @ARGV based on
spaces ... l0l perl retards

 Did you only write this in perl because C is too complicated for you?

you better hope perl underground does see this bullshit perl!!!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/