what you don't know can hurt you

FreePBX Credential Disclosure

FreePBX Credential Disclosure
Posted Feb 15, 2012
Authored by Doug W

FreePBX suffers from a remote credential disclosure vulnerability via the web interface.

tags | exploit, remote, web, info disclosure
MD5 | efdc1ed016f2470c90103ddca9c5b00d

FreePBX Credential Disclosure

Change Mirror Download
Have freePBX running on a public IP, and don’t have the latest version? It may be vulnerable.

If you have an asterisk phone server running on a public IP, using the freePBX web GUI, and don’t have one of the latest releases it may be vulnerable.

Its very common to have freePBX on an Internet routed IP, especially if you have multiple locations using the same freePBX server.

And the scary part is, little documentation exists about this vulnerability, and as of right now its not listed on CVE details:

http://www.cvedetails.com/vendor/6470/Freepbx.html

To test, goto the following URL in your browser:

http://yourip/admin/modules/framework/bin/gen_amp_conf.php

Replace yourip with your actual IP, and admin with your admin directory if different.

If you get a 404 you should be protected, if you get a blank page, view source, or download a copy of that page with wget or curl to ensure its blank.

If you see a bunch of code, or entries, then you have a version that is vulnerable. If you look for ARI_ADMIN_USERNAME and ARI_ADMIN_PASSWORD that should match the initial login you had for the admin interface.

This will allow anyone to get in, then they can look at your sip extensions, view the password in plain text, and then connect to your phone server and run up your phone bill.

Typically a hacker will enable international calling and or 900/976 numbers, even if you had them blocked in your outbound routes, allowing them to possibly make your responsible for thousands of dollars in phone calls.

Now lets get into how to block this.

#1 Upgrade to the latest version of freePBX, and the easiest way to do that is by following the instructions here:

http://www.freepbx.org/forum/freepbx-distro/distro-discussion-help/release-versions

Whether you upgrade or not you should harden your server

So #2 restrict access to your phone server to only what IPs absolutely need to access it, if you have phones on dynamic IPs, such as typical DHCP off of an ISP cable or DSL modem, this may not be practical and you may want to allow a block of IPs, or limit it by country.

Most hackers are not from your country, so this will keep a lot of them from finding your server in the first place, now it is possible for them to use a proxy, but a lot of times they won’t take that extra step.

IPs can be easily restricted using IP tables, or a Firewall manager such as the APF firewall available here:

http://www.rfxn.com/projects/advanced-policy-firewall/

#3 Assuming the hacker is using a proxy and you have phones on dynamic IPs, then you can restrict access to the web interface to a a single or few IPs by editing httpd.conf

The section of code you’re looking for is below, and you will want to add an allow line(s) for the IP(s) you want to access the web interface from:

<Directory “/var/www/html”>



Options Indexes FollowSymLinks



AllowOverride None

#
# Controls who can get stuff from this server.
#
Order deny,allow
allow from 12.34.56.78
deny from all

</Directory>

#4 Turn the web server off, you don’t need the web interface up to make or receive phone calls, so you can leave it off and only turn it on when you need to work in it:

service httpd off

#5 Change the httpd port, a hacker can easily find the new port with a port scanner, but this makes them go through yet one more step. You would do that with this line in httpd.conf

Listen 801

Then restart apache.

#6 Test everything to verify you can access the server/web interface and other IPs can’t

#7 Monitor your system continuously, look at the asterisk log to see what extensions, and what IPs are registering:

cat /var/log/asterisk/full |grep Reg

Look at your call logs, make sure there aren’t any unusually high number of calls, and if you have international or 900/976 numbers enabled by your provider look at the logs extra carefully for those.

As you can see a hacker can easily get access to an out of date FreePBX system, however there are enough tips here to find out if your vulnerable, upgrade your system, how to block this type of attack and help block future similar exploits.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close