CRITICAL: REMOTE ROOT exploit for trixbox in the wild

(To the poster of the active exploit code:)

How about doing one better and providing a workaround until the exploit is patched?

Move index.php out of the web directory so that it's not accessible. You will lose access to the trixbox web stuff, but who cares?

Also, as Scott said, put your trixbox in a DMZ, or at the very least do not expose servers to the Internet unnecessarily. In a small office with no computer savvy users this would probably not be an issue as long as it's not accessible from the Internet (that is not to say that it's OK to take no other security precautions.)

Thanks for the heads up voxter.

And I got a bit angry and took an attitude in my post, I apologize. Thanks for the follow up post.

Rather than look to publishers to secure their products I try to preach best practices that are universal. They don't cost anything to implement and are universal from the smallest home office to the largest enterprise. Once these habits become practices problems disappear. I beat my head against the wall when I talk about VLAN's and other simple to implement practices. How can one argue against using the capabilities of the equipment they have?

Besides, there are so many more things to beat Fonality up about. I am far more concerned with the integrity of the repository and the lack of execution on the 'patch plus' strategy.

Heck, nslookup is missing from the latest build and that was pointed out far more than 5 days ago. I try and pick my battles.

Scott

ADDman,

I'm not looking to sound smart, and im not concerned about the machine that got infected. In my case, this is not a box I care about, and I put it on the public internet on its own network on purpose. I'm glad it got infected like it did, because this allowed me to see what was going on and let everyone else know.

The point was not that I intended to fix it immediately, the point was simply to let other people know what was vulnerable, and thats what I did.

If you want to call me a troll for stirring stuff up, be my guest. But I can guarantee you this: There ARE people who put machines on the public internet because they infact do not know any better. Those people deserve to know what to expect. And Fonality is responsible for releasing a patch that does not require the user to know how to 'patch' their system by some manual means. It should have been available as a security fix (and its an easy one at that) the day they were notified.

I just want to see them post a patch right away, so that people still have a chance of getting their systems secured before they get rooted.

You might be surprised, given a list of all the IP addresses used to access this forum, or from participants of TrixNet or any public DUNDi groups, how many of them you could exploit and take full control over RIGHT NOW.

By take full control, here are some examples of what could happen to people who dont know any better:

- Botnet could take over your machine and use it to participate in a DDoS attack
- Malicious attacker could erase your entire configuration
- Malicious attacker could use your system to place costly phone calls
- Malicious attacker could shut down your phone system and lock you out, taking down your business. That translates into money.

It's a serious hole, man.

Sorry to disagree but after using various Asterisk aggregations going back to early releases of Asterisk@Home, I'm not sure I have ever seen web access to FreePBX or trixbox compared to having "unprotected sex with crack whores." Nor has there ever been a warning NOT to provide Internet web access to these servers. But, until this vulnerability is addressed, you should definitely put your server behind a firewall with port 80 closed.

What you definitely should not do is rename an index.php file to something that ends in an extension other than .php. For example, index.old.php is hidden (although barely) while index.php.old is extremely dangerous because Apache would process and display a file ending in .old as a mere text file. If it contains passwords or other sensitive information, you're in trouble.

Rather than poking a hole in your firewall for port 80, a safer alternative that we use for web access is to create an on-the-fly SSH tunnel for web access to your web site. For example, issue a command like this using the FQDN of your Asterisk server:

ssh -L 8234:localhost:80 root@yourserver.dyndns.org

Once you've opened this connection, then you can access your web site using a browser on the same computer with a command like this:

http://localhost:8234/

When you finish browsing your web site, just shut down the SSH tunnel.

on my system renaming index.php to index.old.php (or whatever - in the absence of index.*) causes the entire directory to be visible to a visitor.

Check before jumping from the frying pan into the fire.

Just a thought you could append the file and add to the top

<?php
die ("OH SNAP NOTHING TO SEE HERE");
?>

sed 1 liner:

sed -i '1i\ <?php die ("OH SNAP NOTHING TO SEE HERE"); ?>' /var/www/html/user/index.php

when I try and open the maint pages in firefox, I get:
Notice: Use of undefined constant SERVERSTATUS - assumed 'SERVERSTATUS' in /var/www/html/maint/modules/01_Home/index.php on line 322

Notice: Use of undefined constant ASTERISKSTATUS - assumed 'ASTERISKSTATUS' in /var/www/html/maint/modules/01_Home/index.php on line 333

Notice: Use of undefined constant ACTIVESIPCHANNELS - assumed 'ACTIVESIPCHANNELS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 160

Notice: Use of undefined constant ACTIVEIAX2CHANNELS - assumed 'ACTIVEIAX2CHANNELS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 168

Notice: Use of undefined constant SIPREGISTRATIONS - assumed 'SIPREGISTRATIONS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 174

Notice: Use of undefined constant IAX2REGISTRATIONS - assumed 'IAX2REGISTRATIONS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 180

Notice: Use of undefined constant SIPPEERS - assumed 'SIPPEERS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 190

Notice: Use of undefined constant ONLINE - assumed 'ONLINE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 190

Notice: Use of undefined constant OFFLINE - assumed 'OFFLINE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 190

Notice: Use of undefined constant ONLINE - assumed 'ONLINE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 200

Notice: Use of undefined constant OFFLINE - assumed 'OFFLINE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 200

Notice: Use of undefined constant UNMONITORED - assumed 'UNMONITORED' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 200

Notice: Use of undefined constant HELPFULLINKS - assumed 'HELPFULLINKS' in /var/www/html/maint/modules/01_Home/index.php on line 338

Notice: Use of undefined constant FORUM - assumed 'FORUM' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 211

Notice: Use of undefined constant RECENTPOSTS - assumed 'RECENTPOSTS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 213

Notice: Use of undefined constant LATESTNEWS - assumed 'LATESTNEWS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 215

Notice: Use of undefined constant HUDLITE - assumed 'HUDLITE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 217

Notice: Use of undefined constant VIDEOTUTORIALS - assumed 'VIDEOTUTORIALS' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 219

Notice: Use of undefined constant DOCUMENTATION - assumed 'DOCUMENTATION' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 221

Notice: Use of undefined constant TRIXBOXSTORE - assumed 'TRIXBOXSTORE' in /var/www/html/maint/modules/01_Home/includes/asteriskInfo_functions.php on line 223

IE just shows a page can't be displayed error.

The fact that scares me the worst it that this thread is nearly 24 hours old and no one from Fonality has commented. I guess they are going to ignore it, so it will go away.

There's been some very good and helpful comment here and we all ( I hope ) are responsible people (most of whom can type better than me!).

Stick to best practice - only expose what you have to, minimise the attack surface.

I can (personally) see little reason to publicly expose anything more than IAX (4569 UDP ?) to a TB box so why expose port 80? - it's like leaving your shiny new iPhone 3g on the table at Starbucks when you go out to the car to get something - in an ideal world it'd be fine, but some people like iPhones so much they'll steal them, some people hate them so much they'll steal them and some people just shouldn't be trusted with that much caffeine coursing through their veins - just keep it in your pocket, take it out admire it at the office (TB on LAN) at home (TB via VPN) - VLAN if practical, change ports, lock down access do what you can. It you have a 24x7 call center with minimum wage staff, they'll get bored and may find a way to browse to you TB - lock it down (you wouldn't leave your iPhone there either, not overnight!).

Remember the only completely secure computer is one with no power, network, disk, display, keyboard, memory etc.

(off my soap box now...sorry...)

(at least you had something to read waiting for Kerry to post - come on guys....!)
J

Interesting that the blog only says it is a 2.6 problem. It looks like they have no plans to fix 2.4. I guess the 2.4 installed base is out of luck?

Stop picking on the crack whores, they are people too (well, sorta.....)
I like crack whores, they're not picky about what you ask for....

I would have been more impressed with the response if:

- instead of posting it in a blog where I have to click to read, they had posted the information about a flaw which allows root level on page one of the site. Especially when they had a solution which requires that people go and download the fix it would have been nice to see a large notice on page one.

- when comments and concerns were mentioned on a couple of different threads somebody from Fonality had directed attention to the blog entry. In fact it seems most people, yourself included James, did not seem to have even read the blog. The first mention of the blog was not made on this thread until late this afternoon.

- instead of advertising for training on my maint page there had been a warning advising of a major flaw having been found.

- instead of hyping the upcoming conference in LA they had placed some emphasis on this urgent matter.

- instead of saying the flaw was a 2.6 problem they had mentioned it was also a 2.4 and possibly a 2.2 problem.

It is true the response was quick, but how many people knew about the response? The failure to communicate the response may have allowed some people to be hit with this when had they known about the response they could have avoided the problem altogether. Yes it is everybody’s individual responsibility to secure their system, but a little communication might have helped some people before they had the problem.

2.4 is vulnerable and it appears that 2.2 is as well. The blog only mentions 2.6. So that comment stands.

As to the first quote of mine you cited I will partly concede that. Keep in mind that is advertising they push to my browser page on my maintenance page not the trixbox.org page. If you can push an ad for me to see when I am managing my system you can also push a critical warning as well.

So out of 5 statements you can refute one and even that I don't totally agree with because just because Cisco does it does not make it good practice.

Like I said, the response was quick, but the communication was not so good. They put the fix out there, but the odds of finding the fix before having the problem were slim. They had the means, but I think you do a dis-service by suggesting they should live down to the behavior of some of these other companies. Why aim so low?

I am realistic. I just thought they could have communicated better. Replying to James' post, I am not killing the messenger. I just think the messenger could have been a little more vocal at a time when the message could have done a little more good.

If you do a search of Kerry's post you can see he always suggest keeeping TB secured BEHIND a firewall.
There is no reason in the world to expose the box to the outside world NONE.

I think his way to access boxes from outside is to use Hamachi; which I use and it works very well.

All system's can be hacked (If you can get out, someone can get in, never think you are safe)
Best thing to do is ASSUME you will be hacked and to watch for it
READ your logs I spend over 3 hours a day just reading logs.

And I am sorry Scott, but it should matter to you what these newbies put out on the net, that is OUR net they are filling up with traffic, that is our email servers they are spamming
that is our webservers they are hammering with DDOS attacks.

They as the fools who exposed a OPEN source pieced together with who knows what code to the world.

The author of the exploit had promised to test our fix before announcing the issue so that he could verify our solution and be able to follow up with our response. Instead he jumped the gun and posted it. He still has not confirmed our fix so we did not roll the fix out to previous versions yet as we wanted to make sure that our fix actually was acceptable. Since I have been out of town this week I haven't really been following this except for knowing that the author has not done his part. Our team is going to have fixes pushed to the other versions today.

The solution has been offered 1000's of times. Use a firewall, use a VPN, use access lists.

Even with the patch I would not consider exposing the web interface to the Internet. There is no good reason to do this other than laziness.

Once somebody has access to your system it is impossible to give instructions to fix it. If you did not have the knowledge to secure it I doubt you have the administration skills to repair it.

We are not bickering with you, everyone who participated in the thread agreed with best practices. Why do you have to watch us bicker?

Stop blaming people/places/things and start taking responsibility. What's the deal with reloading? Or don't you believe in backups either?

Scott

I am not blaming anyone Scott, but thanks for re-iterating what I've already said regarding my lack of linux knowledge.

I'm just waiting for a solution so I don't have to start from scratch. I'd much rather repair it than just wipe it out and re do everything. Plus...repairing it I'd learn more. And then I can be as cool as you!

I see you're too busy taking the defensive mode to really give a crap...just do us all a favor and not post anything unless you're actually going to contribute something helpful. Simply calling people out and saying "you should have done this or that" doesn't do anything for us now.

considering I know almost nothing when it comes to linux...I'll at least learn yum...to a degree. But I digress...

We have a simple fix that should solve the problem, but its not fully tested. I am going to paste it below, and if people can verify that it fixes the issue, we will get it out as an update ASAP. Its a simple fix, to just filter that variable.

Diff follows:


Index: branches/2.6.1/tbm-GUIcore/tbm-GUIcore/maint/index.php
===================================================================
--- branches/2.6.1/tbm-GUIcore/tbm-GUIcore/maint/index.php (revision 927)
+++ branches/2.6.1/tbm-GUIcore/tbm-GUIcore/maint/index.php (revision 928)
@@ -14,7 +14,7 @@
apache_setenv('QUERY_STRING',$_SERVER["QUERY_STRING"] = addslashes(strip_tags(urldecode($_SERVER["QUERY_STRING"]))));
apache_setenv('REQUEST_URI',$_SERVER["REQUEST_URI"] = addslashes(strip_tags(urldecode($_SERVER["REQUEST_URI"]))));

-$_POST['langChoice'] = str_replace(array('/', '\\','.'),'',$_POST['langChoice']);
+if (isset($_POST['langChoice'])) $_POST['langChoice'] = str_replace(array('/', '\\','.'),'',$_POST['langChoice']);

ini_set("error_reporting","E_ALL & ~E_NOTICE");
//echo phpinfo();
Index: branches/2.6.1/tbm-GUIcore/tbm-GUIcore/user/index.php
===================================================================
--- branches/2.6.1/tbm-GUIcore/tbm-GUIcore/user/index.php (revision 927)
+++ branches/2.6.1/tbm-GUIcore/tbm-GUIcore/user/index.php (revision 928)
@@ -13,7 +13,7 @@
apache_setenv('QUERY_STRING',$_SERVER["QUERY_STRING"] = addslashes(strip_tags(urldecode($_SERVER["QUERY_STRING"]))));
apache_setenv('REQUEST_URI',$_SERVER["REQUEST_URI"] = addslashes(strip_tags(urldecode($_SERVER["REQUEST_URI"]))));

-$_POST['langChoice'] = str_replace(array('/', '\\','.'),'',$_POST['langChoice']);
+if (isset($_POST['langChoice'])) $_POST['langChoice'] = str_replace(array('/', '\\','.'),'',$_POST['langChoice']);

ini_set("error_reporting","E_ALL & ~E_NOTICE");
session_start();

Greywire - Repost with the code tags.

That's unreadable.

Scott

I edited the comment with the code tags.

You should be able to cut and paste it intact.

that second method doesn't work for me either. 2.2 setup...and I tried editing the index.php page and the functions one.

IE tries to open it up but fails, displays a quick shot of java errors, and then I get a page can't be displayed error.

wow I havent had enough caffeine this morning. try this:

(now using the pre tag, because code tag sucks)

$langArray = array('english','estonian','french','portuguese','spanish','swedish','turkish');
if (isset($_POST['langChoice'])) {
  $_POST['langChoice'] = (in_array($_POST['langChoice'],$langArray)) ? $_POST['langChoice']:"english";
}

yeah...what he said. :P

i've tried all the above and I still can't get it to work. v2.2.3

I matched exactly what arianduke posted too...strange.

It's like it tries to work, flashes the code and then I get IE can't display webpage error.

ooooooo...wait a min...grey just made a change...

By default do you not have a passworded .htaccess on your /maint/ part of the trixbox site?

I agree with greywire, there is no reason why it shouldnt work with either change. If it does get set to no language it does cause a problem until you clear its cache.

can you show us exactly what you have changed please. Hard to diagnose from here with out something to look at. Cheers

Just a small kudo to this thread. this is how community development is suppose to work.

are the sessionfile.txt files supposed to come back at some point?

timmeh4371:

They get generated by the php backend so deleteing them essentialy makes the system think you havent been on it before and sets things to default (in terms of the web content) for you. Like language selection is saved in the sessions text files just for ease of use so you dont have to keep changing the language every new page load.

Yes I can attest to the numerous issues in the code!
A rewrite would be nice to clean up the notice and info errors as well as all the other coding.

Thanks for the good work and chiming in and getting it working.

Paris

PS Why were the registered users not sent an email about this needed update / change? The blog is great if you come regularly. I can't too many other things to do. An email would have helped, I just happened to catch on to this looking for another issue I'm trying to solve.

Thanks

We are trying to get out a patch that is foolproof (IE a simple script).

What we just found right now, is that you need to not only delete those two sessionText.txt files in both maint and user /cache, and the cookie, but you also need to clear the sess* files in /tmp. The exploit will put its crap in all those places.

With the code fix in place in both maint/index.php and user/index.php you cant get anything funky into those sessions or cookies. But you have to get rid of them all first. A lot of the code goes all wobbly if something strange is in that langChoice variable.

I am guessing this is all due to the code first implementing its own session management, then at some point started using php4's built in sessions but still using the old code too. And at no point was any input filtering implemented.

Yes, there's lots of cruft in the code. Errors and warnings from just plain lazy coding. Overly complex spaghetti code. Etc etc etc.

will that fix work on 2.2?