AsteriDex is "a digital rolodex for Asterisk / Trixbox PBXs". There is a command injection vulnerability which allows unauthenticated users to execute arbitrary commands on the Asterisk management console. Such access permits execution of arbitrary operating system commands as the 'asterisk' user.
Vulnerable Systems:
* AsteriDex version 3.0 and prior
The script 'callboth.php' is used by AsteriDex to bridge a VOIP call between two end-points. Insufficient parameter checking is done on the variables IN and OUT, allowing a malicious user to inject arbitrary commands into the Asterisk management console.
The script works by logging into the console server on port 5038/TCP on localhost. It then issues an 'Action: Originate' command which is used to setup the bridged call. The relevant code from callboth.php is:
$IN is set from $_GET['IN'] with no sanity checking other than a test of string length; all strings passed to $IN must be less than 100 chars, including the string 'sip/' which is prepended to $IN prior to the length check.
Given sane values of $IN=123, $out=321 and $CallerID=567, the session would look like this:
Action: login
Username: phpagi
Secret: phpagi
Events: off
By including CRLF characters in $IN, an attacker can inject arbitrary commands into the data stream, hijacking the authenticated session to run commands of the attackers choice. Take, for example, a $IN string containing: 190@example.com\r\nApplication: System\r\nData: echo pwn3d > /tmp/hoku.txt\r\n
This would transform the session into:
Action: login
Username: phpagi
Secret: phpagi
Events: off
This would use the call manager's 'System' functionality to execute user-supplied operating system commands, in this case writing the word "pwn3d" to a file called "/tmp/hoku.txt". The rest of the session would fail because the attacker has subverted the original 'Action', rendering the remaining commands meaningless to the manager.
