SAFeShell - Sangoma NSC Post-Authentication Remote Code Execution.

This is part of a series of posts on the Sangoma exploits I released at BSides Basingstoke 2024.

This vulnerability affects the Sangoma Netborder Session Controller (NSC). These are telecoms/VoIP products for SS7 and VoIP networks, which purport to provide security features.

"SAFeShell" is a trivially exploitable shell command injection vulnerability in the administrative interface of the Sangoma NSC appliance that grants code execution under the "webconfig" user account.
It can be chained with the "TabbyPass" issue to gain unauthenticated remote code execution.

This writeup is stupidly simple. In the NSC's web user interface, there is an endpoint named /SAFe/Sng_capture, which enables running tcpdump for diagnostic reasons.

Before tcpdump is ran, some checks are performed by calling ifconfig to determine if an interface exists and such. Which leads to this absolute gem of a piece of code...

Here we have a textbook example of shell command injection. We just need to build the appropriate request to reach this endpoint, which is rather simple - the below snippet of Python code shows exactly how to accomplish this to gain code execution.

So, given a valid session on the device (accomplished using "TabbyPass"), we can now spawn a (unprivileged) shell.

These issues have not been disclosed to Sangoma yet, due to their past performance when it comes to handling vulnerability disclosures - I don't have time to waste fighting uncooperative vendors.

In the next post, I'll publish a similar issue in the NSG appliance which can also be chained with TabbyPass to gain code execution as an unauthenticated user.