what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation
Posted Oct 18, 2019
Authored by Appsecco Security Team | Site appsecco.com

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

tags | exploit, web, bypass
advisories | CVE-2019-12147
SHA-256 | 7e1eb8784b9d8c0dcef3b52b414558e0863dd0159c0dddd2ff205e7efaa513f9

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation

Change Mirror Download
## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

For example, when a username `root` and password `secure` is passed to the application, the final command that is created by `Execute` to be run is `/usr/local/sng/bin/sng-user-mgmt --action=login --user=ha --encrypted-password=ENCPASS(secure)`

By inspecting the code and help menu of `/usr/local/sng/bin/sng-user-mgmt`, we see that the `action` parameter supports other modes which includes `add` that creates a user. The `-o` option can be used to make the user have sudo privileges when `--action=add` is used.

Passing additional arguments through the username field results in a new privileged user being created on the system.

## Proof of Concept Exploit

1. Pass a username with the value `john --action=add -p StrongPass1 -o`
2. The password field can be set to anything as this will be ignored
3. Click login
4. A local user with sudo privileges called `john` with password `StrongPass1` will be created
5. An attacker can SSH into the machine with these credentials or login via the web console

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

<http://www.appsecco.com/>www.appsecco.com<http://www.appsecco.com/>

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.



Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close