[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Sangoma SBC Remote Command Execution - CVE-2017–17430

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Sangoma SBC Remote Command Execution - CVE-2017–17430
From: Security Team Appsecco <security@xxxxxxxxxxxx>
Date: Tue, 9 Jan 2018 10:16:10 +0000

## Description

Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows remote 
unauthenticated attackers to execute arbitrary commands via the web interface.

## Technical Details

The `ShellExec` class implemented in `api/ShellExec.class.php` is extensively 
used by various PHP scripts in the management web application to invoke 
external command line programs. The `Execute` method in this class invokes 
external programs, optionally with `sudo` for privileged execution. 
Unfortunately this method does not implement any input validation or parameter 
escaping which can be exploited to inject and execute arbitrary shell commands.

During our research, we exploited the `login` functionality in the web app to 
inject and execute arbitrary shell commands when 
`/usr/local/sng/bin/sng-user-mgmt` was invoked to verify provided credentials.

Following code is executed to authenticate a user from web ui:

```
1197  $shell = new ShellExec();
1198  $cmd = '/usr/local/sng/bin/sng-user-mgmt';
   [...]
1204  $args =' --action=login --user='.$username.' --encrypted-password="' . 
$string.'"';
1205  $rc = $shell->Execute($cmd, $args, true, array('log'));
1206  if(0 == $rc){
   [...]
1217     $_SESSION['user_login'] = $username;
1218     $_SESSION['system_login'] = "root";
1219     WebSetSessionAuthenticated();
1220     return true;
```

Example payload during login to achieve command execution:

```
username: a;echo A > /tmp/test.txt;
password: anything
```

This results in creation of `/tmp/test.txt` on the server. 

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has 
been released.
ftp://ftp.sangoma.com/nsc/2.3/Changelog

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

2017-12-05: Discovered and reported to vendor
2017-12-06: Vendor confirmation
2017-12-07: Fixed version (2.3.12) released


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2017-18016 - Paritytech Parity Ethereum built-in Dapp Browser <= v1.6.10 webproxy token reuse same-origin policy bypass
Next by Date: [FD] WordPress LearnDash LMS: Unauthenticated arbitrary file upload
Previous by thread: [FD] CVE-2017-18016 - Paritytech Parity Ethereum built-in Dapp Browser <= v1.6.10 webproxy token reuse same-origin policy bypass
Next by thread: [FD] WordPress LearnDash LMS: Unauthenticated arbitrary file upload
Index(es):
- Date
- Thread