Hello 0x00sec,
here I’d like to add a exploit that I happened to discover during my exploration of telco networks.
There is a known exploit for “Sangoma SBC”, that allows you to login into the web config with an universal username of
ha|echo
And any password (it’s irrelevant).
You can read about it here:
https://blog.appsecco.com/sangoma-sbc-remote-command-execution-cve-2017-17430-8c8ad744150c
You then have root access to the configuration and could change or crash the whole system.
What wasn’t mentioned in any of the articles I found, is the following:
If you go to to “Configuration” --> "Command execution"
You will be seeing this screen. If you click on the “Show Shell/NSG Commands” it lists some four or five commands. Normally you’d assume these are the commands you’re able/allowed to use.
However, when you type in and execute
whoami
then the output (it gives the results in html) is
root
And voila, you just have a root shell (although it’s a bit difficult to handle with the indirect html-output).
But you can send all commands and even access the juicy files and contents or set up a reverse shell.
Although I doubt that will be of use for anyone here, I thought I’d just let you know.
Just in case 