Overlooked privesc on Sangoma Netborder device

Hello 0x00sec,

here I’d like to add a exploit that I happened to discover during my exploration of telco networks.

There is a known exploit for “Sangoma SBC”, that allows you to login into the web config with an universal username of

ha|echo

And any password (it’s irrelevant).



You can read about it here:

https://wiki.freepbx.org/display/SBC/SBC+Security+Advisory+SEC-20180126

You then have root access to the configuration and could change or crash the whole system.

What wasn’t mentioned in any of the articles I found, is the following:

If you go to to “Configuration” --> "Command execution"

You will be seeing this screen. If you click on the “Show Shell/NSG Commands” it lists some four or five commands. Normally you’d assume these are the commands you’re able/allowed to use.

However, when you type in and execute

whoami

then the output (it gives the results in html) is

root

And voila, you just have a root shell (although it’s a bit difficult to handle with the indirect html-output).

But you can send all commands and even access the juicy files and contents or set up a reverse shell.

Although I doubt that will be of use for anyone here, I thought I’d just let you know.

Just in case :slight_smile:

9 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.