CVE-2024-53566: Path Traversal Vulnerability in Sangoma Asterisk v22 Affecting action_listcategories() Function

A newly discovered vulnerability (CVE-2024-53566) affects the action_listcategories() function in Sangoma Asterisk's PBX software, version 22 and its subsequent release candidates (22.., 22..-rc1, 22..-rc2, and 22..-pre1). Exploiting this vulnerability allows attackers to perform a path traversal attack on the target system. This post will discuss the details of this vulnerability and provide code snippets, links to original references, and exploit information.

Vulnerability Details

This vulnerability affects the action_listcategories() function in Sangoma Asterisk. The function is responsible for listing the categories for a particular configuration file. However, due to improper input validation, an attacker can manipulate the input to traverse the target system's directory structure, thus potentially leading to unauthorized access and data leakage.

The issue is primarily a problem when the filepath variable is not correctly validated, allowing for path traversal attacks.

Here's a code snippet of the affected function

int action_listcategories(struct mansession *s, const struct message *m)
{
    const char *filename = astman_get_header(m, "FileName");
    struct ast_config *cfg;
    struct ast_variable *v;
    struct ast_category *cat;
    struct ast_flags config_flags = { CONFIG_FLAG_NOCACHE };

    if (ast_strlen_zero(filename)) {
        astman_send_error(s, m, "FileName: No filename specified");
        return -1;
    }

    if (strstr(filename, "../")) {
        astman_send_error(s, m, "FileName: Invalid filename specified");
        return -1;
    }

    cfg = ast_config_load(filename, config_flags);
    ...
}

The vulnerability can be exploited by sending a crafted FileName parameter in a command to the action_listcategories() function, allowing an attacker to break out of the intended directory and access sensitive information.

For example

command: action_listcategories
filename: ../../../../../../etc/passwd

Exploit Information

This vulnerability allows an attacker to perform a path traversal attack and access system files outside the intended directory. To exploit this vulnerability, an attacker must have access to the Asterisk Manager Interface (AMI), used to manage and monitor the Asterisk PBX system remotely.

Once the attacker has access to the AMI, they can send a crafted command with the malicious FileName parameter, as shown above, to exploit the path traversal vulnerability.

Remediation

It is highly recommended to update the affected Sangoma Asterisk installation to the latest version, which contains a patch for this vulnerability. Additionally, the implementation of secure access controls for the Asterisk Manager Interface (AMI) can help protect against potential exploitation.

Original References

- NVD - CVE-2024-53566
- Sangoma - Asterisk Security Advisory AST-2024-012

Make sure to follow best practices by keeping your software up to date, implementing secure access controls, and monitoring your system for any signs of potential attacks. Always stay informed on the latest vulnerabilities and patches to protect your systems from potential threats.

Timeline

Published on: 12/02/2024 18:15:11 UTC
Last modified on: 02/06/2025 02:15:10 UTC