[VOIPSEC] trixbox vuln (CVE-2007-6424) - PoC exploit code
Dan York
dyork at voxeo.com
Wed Dec 19 11:20:57 CST 2007
MadCat,
On Dec 19, 2007, at 11:46 AM, MadCat wrote:
>> Something I'm still not clear about it how likely the attack actually
>> is to occur. How easily could an attacker use your exploit code to
>> compromise a Trixbox system? (i.e. what's the risk?) It seems to me
>> that an attacker
>
> You can classify it somewhere between unlikely to not-all-that-likely.
That was my read on it, so I appreciate the confirmation.
> So it's not as much the actual risk of it happening, but just the fact
> the flaw exists and it needs to be addressed.
Sure... but the risk of exploitation directly feeds into the
availability of resources to fix the problem. High risk = lots of
resources, low risk = fewer resources, VERY low risk = "we'll get
around to it and patch it in some future release".
Ideally every security issue gets fixed, but there are typically only
so many resources to go around and often much larger issues to fix.
> Yes, this -should- fix the problem. However, there is a fair amount of
> users that have their trixbox all firewalled up to the point it won't
> do the updates; in essence the 'vendor' has fixed the flaw with the
> next release, but there's always a few vulnerable issues.
Agreed.
> In case you're interested, I did a writeup on this as well on my
> blog; http://www.superunknown.org/pivot/entry.php?id=15
Yes, I did notice that. I actually updated the VOIPSA blog entry
yesterday to point to your post:
http://voipsa.org/blog/2007/12/17/trixbox-contains-phone-home-code-
to-retrieve-arbitrary-commands-to-execute/
> As a developer and sometimes-not-so-voluntary product manager I get
> the idea; however, the script in question can be fixed easily in under
> 72 hours without it affecting it's functionality in any way; just tell
> it to update itself to run a hardcoded list of commands instead of
> pulling it off the web somewhere and that'll temporarily fix the
> issue.
>
> After that one can spend as much time as needed to get a permanent and
> "prettier" fix out the door.
Yes, the proverbial "do you do it quickly and get a 'band-aid' fix
out there or do you take some time and do it right?" debate. No easy
answers, in my opinion. Sometimes the band-aid fix is appropriate.
Sometimes the band-aid fix turns out to be such a pain-in-the-neck in
terms of additional support, QA, work, etc.
So much of it goes back to that assessment of risk. If it's a high
risk of exploitation and it will take too long to get out a correct
fix, rush out the band-aid fix. If it's a low risk and it won't take
that much longer to do it the right way, that's usually the best
course, in my opinion.
Thanks for the comments,
Dan
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
More information about the Voipsec
mailing list