[VOIPSEC] trixbox vuln (CVE-2007-6424) - PoC exploit code

MadCat madcat at superunknown.org
Wed Dec 19 10:46:20 CST 2007 

>> Run this in a simple script such as `while :; do netcat -l -p 80 -c
>> "perl trixbox-exploit.pl"; done`, and then a trivial DNS redirection
>> can take it from there.
>
> Something I'm still not clear about it how likely the attack actually
> is to occur.  How easily could an attacker use your exploit code to
> compromise a Trixbox system?  (i.e. what's the risk?)  It seems to me
> that an attacker

You can classify it somewhere between unlikely to not-all-that-likely.  
It requires, for one, that you can convince the victims' trixbox that  
it's connecting to the real update server while it isn't. Some  
techniques that come in handy here are DNS poisoning/spoofing, ARP  
spoofing, and if you're really so inclined you can hack into a router  
and transparently re-route stuff to perform a man in the middle attack.

For the average trixbox user (home/small office) the risk isn't all  
that big; for bigger corporate users they might want to evaluate this  
because if, say, a corporation has an ISO 27001:2005 certificate, this  
flaw in trixbox will result in a nonconformity right away (at least if  
the auditor has a half-decent skillset).

So it's not as much the actual risk of it happening, but just the fact  
the flaw exists and it needs to be addressed.

>
> Also, Trixbox has now publicly apologized and also stated that they
> will be changing this tool in an impending release (which I read as
> Friday):
>
>    http://www.trixbox.org/trixbox-ce-audit-tool-official-statement-
> and-fixes
>
> Will this not solve the problem?   Given Trixbox's existing
> infrastructure to pull down software updates, it would look to me
> that this problem should be addressed once all existing Trixbox
> installs do an update in the time after the release.

Yes, this -should- fix the problem. However, there is a fair amount of  
users that have their trixbox all firewalled up to the point it won't  
do the updates; in essence the 'vendor' has fixed the flaw with the  
next release, but there's always a few vulnerable issues.

I also can't quite grasp whether they mean they will do the update  
using the registry.pl tool, or whether registry.pl is fixed in an  
update that one has to download and install (i.e. a full release  
version). If it is the latter, there will undoubtedly remain a large  
installed base that is vulnerable for at least 6 months or so.
>

> Thank you, Than, for your reporting on the issue.  It's been an
> interesting one to see come up.  (And if you haven't noticed, I've
> been blogging about it over on http://www.voipsa.org/blog/ )

In case you're interested, I did a writeup on this as well on my blog; http://www.superunknown.org/pivot/entry.php?id=15


> P.S. As a former product manager I must admit to having a knee-jerk
> reaction to your statement "I feel that 72+ hours is more than enough
> time to fix something this simple."  I used to think that way.  Then
> I wound up on the other side of the table being responsible for
> bringing such fixes out. For a commercial company, there is a great
> amount of work that goes with a "release" in terms of Quality
> Assurance testing, documentation, release notes, etc.  If you have an
> "emergency" security issue, it's easy to do a "All Hands on Deck!"
> drill and throw people at something to get out a quick fix.  If it's
> not an emergency, you have to argue the case for prioritization...
> for pulling people off of other tasks... and then those people have
> to get set up to address your issue, etc.  All of that takes time.
> Please understand, I'm not trying to *excuse* Fonality's actions, but
> perhaps to *explain* them.

As a developer and sometimes-not-so-voluntary product manager I get  
the idea; however, the script in question can be fixed easily in under  
72 hours without it affecting it's functionality in any way; just tell  
it to update itself to run a hardcoded list of commands instead of  
pulling it off the web somewhere and that'll temporarily fix the issue.

After that one can spend as much time as needed to get a permanent and  
"prettier" fix out the door.

IMO anyway :) The usual disclaimers apply here :D

More information about the Voipsec mailing list