[VOIPSEC] trixbox vuln (CVE-2007-6424) - PoC exploit code
Dan York
dyork at voxeo.com
Wed Dec 19 08:51:46 CST 2007
Than,
On Dec 18, 2007, at 10:25 PM, Than Taro wrote:
> Run this in a simple script such as `while :; do netcat -l -p 80 -c
> "perl trixbox-exploit.pl"; done`, and then a trivial DNS redirection
> can take it from there.
Something I'm still not clear about it how likely the attack actually
is to occur. How easily could an attacker use your exploit code to
compromise a Trixbox system? (i.e. what's the risk?) It seems to me
that an attacker
Also, Trixbox has now publicly apologized and also stated that they
will be changing this tool in an impending release (which I read as
Friday):
http://www.trixbox.org/trixbox-ce-audit-tool-official-statement-
and-fixes
Will this not solve the problem? Given Trixbox's existing
infrastructure to pull down software updates, it would look to me
that this problem should be addressed once all existing Trixbox
installs do an update in the time after the release.
Thank you, Than, for your reporting on the issue. It's been an
interesting one to see come up. (And if you haven't noticed, I've
been blogging about it over on http://www.voipsa.org/blog/ )
Regards,
Dan
P.S. As a former product manager I must admit to having a knee-jerk
reaction to your statement "I feel that 72+ hours is more than enough
time to fix something this simple." I used to think that way. Then
I wound up on the other side of the table being responsible for
bringing such fixes out. For a commercial company, there is a great
amount of work that goes with a "release" in terms of Quality
Assurance testing, documentation, release notes, etc. If you have an
"emergency" security issue, it's easy to do a "All Hands on Deck!"
drill and throw people at something to get out a quick fix. If it's
not an emergency, you have to argue the case for prioritization...
for pulling people off of other tasks... and then those people have
to get set up to address your issue, etc. All of that takes time.
Please understand, I'm not trying to *excuse* Fonality's actions, but
perhaps to *explain* them.
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
More information about the Voipsec
mailing list