Executive Summary

CVE-2020-37153 affects ASTPP version 4.0.1, an open-source VoIP billing platform. It contains multiple critical security flaws including cross-site scripting (XSS) and command injection vulnerabilities within the SIP device configuration and plugin management interfaces.

Attackers can exploit these vulnerabilities by injecting malicious HTML or JavaScript code into SIP device parameters, hijacking administrator sessions through stolen cookies, and then executing arbitrary system commands via the plugin installation interface.

The attack chain can escalate to executing code with root privileges by manipulating cron tasks due to misconfigured cron job settings, allowing full remote root access on affected Linux systems.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution with root privileges, complete system compromise, and data theft.

• Attackers can hijack administrator sessions, gaining full control over the ASTPP system.
• They can execute arbitrary commands on the server, potentially installing backdoors or malware.
• Root-level access allows attackers to manipulate system files, escalate privileges, and maintain persistent control.
• Sensitive configuration files containing database credentials and other critical information can be stolen, enabling further exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking for signs of command injection and cross-site scripting (XSS) in the SIP device configuration and plugin management interfaces of ASTPP 4.0.1.

One approach is to test the SIP device parameters by injecting HTML or JavaScript payloads into fields such as SIP Caller Number and Caller Name to see if input validation is bypassed.

Example commands to test command injection via the plugin installation interface include running system commands like `system date;id;whoami` through the web interface.

Additionally, monitoring for unusual cron jobs or scheduled tasks that could be running with root privileges may indicate exploitation, as attackers can manipulate cron tasks to execute arbitrary code.

Network detection can also include monitoring for reverse shell connections, such as Python-based reverse shells connecting back to attacker IPs on uncommon ports (e.g., port 4444).

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying patches or upgrading ASTPP to a version where these vulnerabilities are fixed.

If patching is not immediately possible, restrict access to the SIP device configuration and plugin management interfaces to trusted administrators only.

Disable or restrict the ability to install or manage plugins through the web interface to prevent command injection.

Review and secure cron jobs and scheduled tasks to prevent unauthorized modification or execution of commands with root privileges.

Monitor network traffic for suspicious connections, especially reverse shells or unexpected outbound connections from the ASTPP server.

Implement strong input validation and session management controls to prevent XSS and session hijacking.

Useful 0 Not Useful 0