FreePBX callmenum Remote Code Execution

2012-05-02T00:00:00
ID SAINT:CA451A4DE14C70201895E4FCF5B35446
Type saint
Reporter SAINT Corporation
Modified 2012-05-02T00:00:00

Description

Added: 05/02/2012
BID: 52630
OSVDB: 80544

Background

FreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk.

Problem

FreePBX fails to properly sanitize user-supplied input passed to 'callmenum' parameter in recordings/misc/callme_page.php when 'action' is set to 'c'. This can be exploited to execute arbitrary code.

Resolution

Apply the patch from the FreePBX SVN repository, or from the support ticket.

References

<http://www.freepbx.org/trac/ticket/5711>
<http://seclists.org/fulldisclosure/2012/Mar/234>

Limitations

This exploit has been tested against FreePBX 2.9.0.7 on CentOS 5.7 Linux. The exploit will brute-force extension numbers if one is not provided, but the call must be answered for the attack to succeed.

Platforms

Linux