exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FreePBX 2.8.0 Code Execution

FreePBX 2.8.0 Code Execution
Posted Sep 24, 2010
Authored by Trustwave | Site trustwave.com

FreePBX versions 2.8.0 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2010-3490
SHA-256 | d839195f9db7fa9e1b80afddfe9fb68b622f5255ab3e52b81e30ba662b8c23e6

FreePBX 2.8.0 Code Execution

Change Mirror Download
Trustwave's SpiderLabs Security Advisory TWSL2010-005:
FreePBX recordings interface allows remote code execution


Published: 2010-09-23
Version: 1.0

Vendor: FreePBX (http://www.freepbx.org/)
Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using it
Version(s) affected: 2.8.0 and below

Product Description:
FreePBX is an easy to use GUI (graphical user interface) that controls and
manages Asterisk, the world's most popular open source telephony engine
software. FreePBX has been developed and hardened by thousands of
volunteers,has been downloaded over 5,000,000 times, and is utilized in an
estimated 500,000 active phone systems.

Source: http://www.freepbx.org
Credit: Wendel G. Henrique of Trustwave's SpiderLabs

CVE: CVE-2010-3490

The configuration interface for FreePBX is prone to a remote arbitrary code
execution on the system recordings menu. FreePBX doesn't handle file uploads
in a secure manner, allowing an attacker to manipulate the file extension
and the beginning of the uploaded file name.

The piece of code below, found in page.recordings.php, illustrates part of
the recordings upload feature.

/* Code removed to fit better on advisory */

if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
if (empty($usersnum)) {
$dest = "unnumbered-";
} else {
$dest = "{$usersnum}-";
$suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
echo "<h6>"._("Successfully uploaded")."
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>

/* Code removed to fit better on advisory */

When a file is uploaded, a copy is saved temporarily under the /tmp/
directory, where the name of the file is composed of
user-controlled-staticname.extension, where:

"user-controlled" is $usersnum variable.
"staticname" value is -ivrrecording.
"extension" is controlled by the user.

If $usersnum variable is not defined, then a static string (unnumbered)
is used.

Finally, when the user clicks on the save button on the System Recordings
interface, the file is saved with the original file name provided by the
user under the /var/lib/asterisk/sounds/custom/ directory.

When uploading a file, an attacker can manipulate the $usersnum variable to
perform a path traversal attack and save it anyplace that the web server
user has access, for example the Apache's DocumentRoot. This allows an
attacker to upload malicious code to the web server and execute it under the
webserver's access permissions.

The HTTP request below illustrates the upload of a phpshell.

POST /admin/config.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv: Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
Content-Length: 116089

Content-Disposition: form-data; name="display"

Content-Disposition: form-data; name="action"

Content-Disposition: form-data; name="usersnum"

Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
Content-Type: application/octet-stream

/* WebShell code goes here */


To access the webshell in this example, an attacker would use
the following path:

Maintainer Response:
The maintainer has released a patch to address this issue for all versions
of the software 2.3 and newer.

Details of the patch can be found here:

Remediation Steps:
Install the maintainer-provided patch.

Vendor Communication Timeline:
08/13/10 - Initial contact
08/18/10 - Vulnerability disclosed
09/16/10 - Initial fix proposed by maintainer
09/22/10 - Fix reviewed, improved, and released by maintainer
09/23/10 - Advisory public release

Revision History:
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit

The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By