The Sangoma Inquisition - A Summary.
The "Sangoma Inquisition" was a project where I audited a few products from the company "Sangoma", who among other things, provide telecoms/VoIP products to telecoms providers. In this post, I'll clear up a few things, and try enumerate all the issues found.
Doing vulnerability research on provider level stuff seemed like a logical follow-on to previous work I did targeting ATA devices and VoIP "desk phones" and such.
I had also heard an unverified rumour of a "Netborder 0day" being sold by a threat actor who was also offering "SS7 access" on some forum, so that gave me an idea as to where to begin looking in terms of products/vendors. There also have been persistent rumours about threat actors exploiting SS7 accesses, even CISA have issued advisories about this.
I presented the results of this work at BSides Basingstoke on July 19th 2024. BSides Basingstoke was the 1000th BSides event, and it was fucking awesome.
At that time - and at the time of writing this entry, I have not bothered contacting the vendor, or gotten around to working out how to request CVE's for the discovered vulnerabilities.
There are a couple of reasons why I elected to go the route of full disclosure.
The first was, when I originally went looking for a "security contact" at Sangoma, the information I found was concerning - a random Gmail account on one of their product wikis and a mention of a "bug bounty". They have since migrated the wiki to some knowledge base.
The second was the experiences of other researchers. A talk at Defcon in 2023 specifically called out Sangoma's security disclosure process as being absolutely dogshit - with the vendor offering bounties, never paying, silently fixing bugs, and being completely uncommunicative.
Coordinated vulnerability disclosure is a courtesy, not a given. If a vendor has a history of not playing ball, I see no need to bother jumping through their hoops. They can cope with the full disclosure, and hopefully see it as a learning experience and improve their processes in future.
Anyway. With that out of the way.
The products assessed were the following:
- Sangoma NSC - Sangoma Netborder Session Controller.
- Sangoma NSG - Sangoma Netborder SS7 to VoIP Gateway.
- Sangoma NTG - Sangoma NetBorder Transcoding Gateway.
- Sangoma VideoMCU - Sangoma Video Multipoint Control Unit.
Vulnerabilities discovered included broken authentication, use of vulnerable components, XXE (XML external entity injection), XSS (cross site scripting), argument injection, shell command injection, vulnerable sudoers configurations leading to local privilege escalation, session hijacking through directory listing, file download, and arbitrary file write bugs. It is also worth noting that the kernel and software versions on these things are absolutely ancient.
Below I will try list all the vulnerabilities disclosed, the products affected, and link to the relevant blog post from this series.
"TabbyPass" - An argument injection issue leading to authentication bypass. Affects NSC and NSG products.
"SAFeShell" - post authentication shell command injection issue leading to unprivileged command execution. Affects NSC products.
"FilterShell" - post authentication shell command injection issue leading to unprivileged command execution. Affects NSG products.
sudo access to nohup - local privilege escalation to root. Affects NSC and NSG products.
sudo access to yum - local privilege escalation to root. Affects NSC, NSG, NTG and VideoMCU products.
sudo access to tar - local privilege escalation to root. Affects NSC, NSG, NTG and VideoMCU products.
sudo access to PHP - local privilege escalation to root. Affects NSC products.
sudo access to OpenSSL - local privilege escalation to root. Affects NSC and VideoMCU products.
sudo access to service - local privilege escalation to root. Affects NSC, NSG, NTG and VideoMCU products.
sudo access to tcpdump - local privilege escalation to root. Affects NSC and NSG products. Unexploitable (for now...) on VideoMCU.
sudo access to Python - local privilege escalation to root. Affects VideoMCU products.
sudo access to zip - local privilege escalation to root. Affects NSC products.
sudo access to chmod/chown - local privilege escalation to root by many vectors. Affects NSC, NSG, NTG, and VideoMCU products.
sudo access to find - local privilege escalation to root. Affects NSC, NSG, NTG and VideoMCU products.
NTG Post-Auth RCE - post-authentication shell command injection leading to unprivileged command execution. Affects NTG products.
VideoMCU Post-Auth RCE - post-authentication shell command injection leading to unprivileged command execution. Affects VideoMCU products.
FusionDoors - broken access controls leading to multiple issues including remote root shell command execution, remote root PHP code execution, remote file reading as root through multiple endpoints, and remote file writing as root through multiple endpoints along with a (limited) shell command execution issue. Does this only count as one, or as 5 issues? Or as 10 issues? Are we counting endpoints affected? I'll count it as one for now. Affects NSG products.
MagicGate - use of a vulnerable version of the GateOne Web SSH terminal leads to remote command execution with root privileges from an unauthenticated, remote user. Affects NSC products.
Cross-Site-Scripting in NSG - trivial unauthenticated reflected XSS. Affects NSG products.
XXE in SOAP interface - unauthenticated XXE in SOAP interface. May be used to perform SSRF or potentially exfiltrate files. Affects NTG and VideoMCU products.
Information Disclosure (PHPSysInfo) - an unprotected PHPSysInfo page leaks potentially useful information. Affects NSG, NTG, and VideoMCU products.
Directory listing leading to session hijacking - by listing the contents of controlled directories from an unauthenticated endpoint, it is possible to hijack valid sessions and gain administrative access to the web interface. Affects NTG and VideoMCU products.
In total, I think that is 22 unique issues, being conservative with my counting and counting "dupes across products" as only one issue.
That is a lot of problems for an idiot with grep and Burp to find in your stuff in their free time.
These issues can all be combined in various ways to gain full remote, unauthenticated root shells on all of the devices tested. Happy days. For example, the "TabbyPass" and "FilterShell" or "SAFeShell" can be combined to get unauthenticated code execution on NSC or NSG, followed by any of the local privilege escalations.
Now, someone did ask why I decided to publish each thing as its own post - that is because I have the attention span of a drunk gnat most of the time, and each bug is unique and special enough to warrant its own entry.
Anyway, that just about wraps up this project for now. It has been a lot of fun. I hope others pick up where I left off - I probably left some bugs behind that I just didn't have the time to fully explore, there are at least a few other ways to do fun things post-authentication, and that XXE looks promising.