CVE-2020-37104
📋 TL;DR
CVE-2020-37104 allows unauthenticated attackers to download database backup files from ASTPP VoIP billing software by brute-forcing predictable 6-digit PIN filenames. This exposes sensitive database information including credentials, call records, and billing data. All ASTPP 4.0.1 installations with default configurations are affected.
💻 Affected Systems
- ASTPP (Open Source VoIP Billing Solution)
📦 What is this software?
Astpp by Inextrix
⚠️ Risk & Real-World Impact
Worst Case
Complete database exfiltration including administrator credentials, customer data, call records, financial information, and system configuration leading to full system compromise and data breach.
Likely Case
Attackers download database backups containing sensitive information, potentially leading to credential theft, data exposure, and further system compromise.
If Mitigated
Limited exposure with only partial backup files accessible or no successful downloads due to access controls.
🎯 Exploit Status
Exploit code available on Exploit-DB (47900). Attack involves simple HTTP requests to guess 6-digit PIN backup filenames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ASTPP 4.0.2 and later
Vendor Advisory: https://github.com/iNextrix/ASTPP
Restart Required: No
Instructions:
1. Upgrade to ASTPP 4.0.2 or later. 2. Download latest version from official repository. 3. Follow upgrade instructions in documentation. 4. Verify backup directory access controls are properly implemented.
🔧 Temporary Workarounds
Restrict access to backup directory
linuxBlock unauthenticated access to /database_backup/ directory using web server configuration
# For Apache: add to .htaccess or virtual host config
<Location /database_backup/>
Require all denied
</Location>
# For Nginx: add to server block
location /database_backup/ {
deny all;
}
Remove or secure backup files
linuxDelete existing backup files or move them outside web root
# Move backup files to secure location
mv /var/www/html/database_backup/* /secure/backup/location/
# Delete backup files
rm -rf /var/www/html/database_backup/*
🧯 If You Can't Patch
- Implement strict network access controls to limit access to ASTPP web interface
- Deploy web application firewall (WAF) rules to block requests to /database_backup/ patterns
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[astpp-server]/database_backup/backup_000000.sql with various 6-digit PINs. If any backup file downloads without authentication, system is vulnerable.Check Version:
Check ASTPP version in web interface admin panel or examine ASTPP source files for version informationVerify Fix Applied:
Verify upgrade to ASTPP 4.0.2+ and test that /database_backup/ directory returns 403 Forbidden or redirects to login for unauthenticated requests.📡 Detection & Monitoring
Log Indicators:
- Multiple 403/404 requests to /database_backup/ patterns
- Successful downloads of .sql files from backup directory
- Unusual traffic patterns with sequential 6-digit numbers in URLs
Network Indicators:
- HTTP GET requests to /database_backup/backup_[0-9]{6}.sql
- Large outbound transfers of .sql files from web server
SIEM Query:
source="web_logs" AND (url="/database_backup/*" OR url LIKE "/database_backup/backup_%") AND (response_code=200 OR bytes_out>1000000)