exploit the possibilities

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation
Posted Oct 18, 2019
Authored by Appsecco Security Team | Site appsecco.com

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

tags | exploit, web, bypass
advisories | CVE-2019-12147
MD5 | 35eba4e323bb1cd503763d9011a57ea5

Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation

Change Mirror Download
## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

For example, when a username `root` and password `secure` is passed to the application, the final command that is created by `Execute` to be run is `/usr/local/sng/bin/sng-user-mgmt --action=login --user=ha --encrypted-password=ENCPASS(secure)`

By inspecting the code and help menu of `/usr/local/sng/bin/sng-user-mgmt`, we see that the `action` parameter supports other modes which includes `add` that creates a user. The `-o` option can be used to make the user have sudo privileges when `--action=add` is used.

Passing additional arguments through the username field results in a new privileged user being created on the system.

## Proof of Concept Exploit

1. Pass a username with the value `john --action=add -p StrongPass1 -o`
2. The password field can be set to anything as this will be ignored
3. Click login
4. A local user with sudo privileges called `john` with password `StrongPass1` will be created
5. An attacker can SSH into the machine with these credentials or login via the web console

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

<http://www.appsecco.com/>www.appsecco.com<http://www.appsecco.com/>

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    13 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close