Critical FreePBX RCE Vulnerability (ALL Versions) CVE-2014-7235

I’'ve followed the steps in the post. When I run /fpbxseccheck.phar --clean --redownload - results
-bash: /fpbxseccheck.phar: No such file or directory.

Here is my output:
[root@localhost ~]# wget --no-check-certificate https://github.com/Schmoozecom/fpbxcheck/raw/master/fpbxseccheck.phar
–2014-10-13 17:48:39-- https://github.com/Schmoozecom/fpbxcheck/raw/master/fpbxseccheck.phar
Resolving github.com… 192.30.252.130
Connecting to github.com|192.30.252.130|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://raw.githubusercontent.com/Schmoozecom/fpbxcheck/master/fpbxseccheck.phar [following]
–2014-10-13 17:48:39-- https://raw.githubusercontent.com/Schmoozecom/fpbxcheck/master/fpbxseccheck.phar
Resolving raw.githubusercontent.com… 23.235.46.133
Connecting to raw.githubusercontent.com|23.235.46.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 42683 (42K) [application/octet-stream]
Saving to: âfpbxseccheck.phar.1â

100%[========================================================>] 42,683 --.-K/s in 0.07s

2014-10-13 17:48:39 (620 KB/s) - âfpbxseccheck.phar.1â

Further Output.

[root@localhost ~]# ./fpbxseccheck.phar
Starting integrity check…
Attempting to upgrade Framework
–2014-10-13 17:50:33-- http://mirror1.freepbx.org/modules/packages/framework/framework-2.11.0.38.tgz?installid=b2d24f8672660174e834df6fdcb2e969
Resolving mirror1.freepbx.org… 162.253.134.144
Connecting to mirror1.freepbx.org|162.253.134.144|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3419372 (3.3M) [application/octet-stream]
Saving to: â/var/www/html/admin/modules/_cache/framework-2.11.0.38.tgzâ

100%[========================================================>] 3,419,372 1.88M/s in 1.7s

2014-10-13 17:50:35 (1.88 MB/s) - â/var/www/html/admin/modules/_cache/framework-2.11.0.38.tgzâ

Downloading 3419372 of 3419372 (100%)

Untaring…Done
Module framework successfully downloaded
installing files to /var/www/html…done
installing files to /var/lib/asterisk/bin…done
installing files to /var/lib/asterisk/agi-bin…done
Checking for upgrades…No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfully
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfully
file/directory: /var/www/html/admin/modules/framework/libfreepbx.install.php removed successfully
Module framework successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Now Checking Framework…
Cleaning up exploit 'mgknight’
Removing invalid bootstrap file
Deleting mgknight user
Moving potentially compromised file /etc/asterisk/manager_custom.conf to /tmp/freepbx_quarantine/manager_custom.conf
Moving potentially compromised file /etc/asterisk/sip_custom.conf to /tmp/freepbx_quarantine/sip_custom.conf
Moving potentially compromised file /etc/asterisk/extensions_custom.conf to /tmp/freepbx_quarantine/extensions_custom.conf
Cleaned potential exploit. Please check your system for any suspicious activity. This script might not have removed it all!
OK
FreePBX ARI Framework detected as installed, attempting to update
–2014-10-13 17:50:38-- http://mirror1.freepbx.org/modules/packages/fw_ari/fw_ari-2.11.1.5.tgz?installid=b2d24f8672660174e834df6fdcb2e969
Resolving mirror1.freepbx.org… 162.253.134.144
Connecting to mirror1.freepbx.org|162.253.134.144|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 249070 (243K) [application/octet-stream]
Saving to: â/var/www/html/admin/modules/_cache/fw_ari-2.11.1.5.tgzâ

100%[========================================================>] 249,070 480K/s in 0.5s

2014-10-13 17:50:39 (480 KB/s) - â/var/www/html/admin/modules/_cache/fw_ari-2.11.1.5.tgzâ

Downloading 249070 of 249070 (100%)

Untaring…Done
Module fw_ari successfully downloaded
installing files to /var/www/html/recordings…done
installing files to /var/www/html/recordings…done
fw_ari file install done, removing packages from module
files removed successfully
Module fw_ari successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
UNSIGNED MODULE phpagiconf – attempting to redownload
–2014-10-13 17:50:42-- http://mirror1.freepbx.org/modules/packages/phpagiconf/phpagiconf-2.11.0.0.tgz?installid=b2d24f8672660174e834df6fdcb2e969
Resolving mirror1.freepbx.org… 162.253.134.144
Connecting to mirror1.freepbx.org|162.253.134.144|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 13668 (13K) [application/octet-stream]
Saving to: â/var/www/html/admin/modules/_cache/phpagiconf-2.11.0.0.tgzâ

100%[========================================================>] 13,668 --.-K/s in 0.007s

2014-10-13 17:50:42 (1.95 MB/s) - â/var/www/html/admin/modules/_cache/phpagiconf-2.11.0.0.tgzâ

Downloading 13668 of 13668 (100%)

Untaring…Done
Module phpagiconf successfully downloaded
Module phpagiconf successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
UNSIGNED MODULE fw_langpacks – attempting to redownload
The following error(s) occured:

100%[========================================================>] 6,283 --.-K/s in 0.003s

2014-10-13 17:50:45 (1.94 MB/s) - â/var/www/html/admin/modules/_cache/extensionsettings-2.11.0.2.tgzâ

Downloading 6283 of 6283 (100%)

Untaring…Done
Module extensionsettings successfully downloaded
Module extensionsettings successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
UNSIGNED MODULE isymphony – attempting to redownload
The following error(s) occured:

100%[========================================================>] 14,478 --.-K/s in 0.1s

2014-10-13 17:50:48 (142 KB/s) - â/var/www/html/admin/modules/_cache/customcontexts-2.11.0.1.tgzâ

Downloading 14478 of 14478 (100%)

Untaring…Done
Module customcontexts successfully downloaded
Module customcontexts successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Complete. Summary:
Good modules: 74
Bad modules: 0
Signature Missing: 2
**** SYSTEM WAS EXPLOITED ****
Re-run this script with any module name for further information

Excellent! Glad to see it’s working properly.

1 Like

Thanks - can you describe how to run the commands for this output?
UNSIGNED MODULE fw_fop – attempting to redownload
The following error(s) occured:

  • Module not found in repository
    UNSIGNED MODULE fw_fop: This module isn’t signed. It may be altered, and should be re-downloaded immediately.
    You may add the paramater --redownload to automatically download all unsigned modules
    UNSIGNED MODULE fw_langpacks – attempting to redownload
    The following error(s) occured:
  • Module not found in repository
    UNSIGNED MODULE fw_langpacks: This module isn’t signed. It may be altered, and should be re-downloaded immediately.
    You may add the paramater --redownload to automatically download all unsigned modules
    UNSIGNED MODULE isymphony – attempting to redownload
    The following error(s) occured:
  • Module not found in repository
    UNSIGNED MODULE isymphony: This module isn’t signed. It may be altered, and should be re-downloaded immediately.
    You may add the paramater --redownload to automatically download all unsigned modules
    WARNING: Module webrtc has issues. Run script again with that module name as the param

Just ran the --cleanall and --redownload

Only one coming up as unsigned

UNSIGNED MODULE extensionroutes: This module isn’t signed. It may be altered, and should be re-downloaded immediately.
You may add the paramater --redownload to automatically download all unsigned modules.

Also FYI if you use Vitelity and they blacklist your IP they require you to wipe your machine, passwords etc…

Was this MGKnight hack due to the RCE or Bash?

That is not a command, nor did we list or say anything about “cleanall” anywhere

RCE

Fixing that now. It should come up as signed when you redownload it again. These things are cached also so it may take some time.

oops --clean

its been a long day…

My question - I built 2 new clean virgin system, updated before going live. How can the scan respond with **** SYSTEM WAS EXPLOITED **** I did preform a backup from 9/20 - 10 days before the announcement.

The original “script” we found was published before we announced it. The day we announced it was the day we discovered it and also the day we fixed it. That does not mean it was the day it was also released.

Also there have been various releases of the script. I would advise you make sure you have downloaded the latest one.

Hello,
When I use the .phar script I get the following error:

# ./fpbxseccheck.phar
Segmentation fault

What are you using it on? Versions?

Hi - I used this link - http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan to download and scanned my system. Is there a new scanner?

All updates are mirrored to that git repo so that link is always up to date.

I moved 5 posts to a new topic: CDR Errors after compromise cleanup

I moved a post to an existing topic: CDR Errors after compromise cleanup

OK, firstly i know that the version of FreePBX I am running in this instance is OLD. I also know it is UNSUPPORTED. What i would like to know is, is there some way I can add the CentOS repo in so i can just yum update bash?
To uprade system would be very disruptive and is not required in any other way. Only access to system is via SSH & SIP and nothing really special is being done on the system so it works as it needs to without any further enhancements.
Version is 1.817.210.58-1.
When I try to update the below is what i get as i think it is missing current CentOS repo

[root@freepbx ~]# yum update bash
Loaded plugins: fastestmirror, kmod, security
Loading mirror speeds from cached hostfile
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

Thanks in advance

I have also been hacked when i run the tool i get this output

[root@localhost ~]# ./fpbxseccheck.phar --clean --redownload
Starting integrity check...
Clean defined, Will attempt to clean anything thing bad up
Redownload defined, will attempt to redownload where needed
Checking Framework for a valid signature...
Framework appears to be good
Cleaning up exploit 'mgknight'
        Purging PHP Session storage
        Done
        Moving potentially compromised file /etc/asterisk/manager_custom.conf to /tmp/freepbx_quarantine/manager_custom.conf
        Moving potentially compromised file /etc/asterisk/sip_custom.conf to /tmp/freepbx_quarantine/sip_custom.conf
        Moving potentially compromised file /etc/asterisk/extensions_custom.conf to /tmp/freepbx_quarantine/extensions_custom.conf
Cleaned potential 'mgknight' exploit. Please check your system for any suspicious activity. This script might not have removed it all!
Checking FreePBX ARI Framework
        FreePBX ARI Framework detected as installed, attempting to update
Downloading 249070 of 249070 (100%)

Untaring..Done
Module fw_ari successfully downloaded
installing files to /var/www/html/recordings..done
installing files to /var/www/html/recordings..done
fw_ari file install done, removing packages from module
files removed successfully
Module fw_ari successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Finished with FreePBX ARI Framework
Now Verifying all FreePBX Framework Files
*** File (/usr/sbin/amportal) is missing! ****
/usr/sbin/amportal has been modified!
Framework file(s) have been modified, re-downloading
Downloading Framework
Downloading 3418502 of 3418502 (100%)

Untaring..Done
Module framework successfully downloaded
installing files to /var/www/html..done
installing files to /var/lib/asterisk/bin..done
installing files to /var/lib/asterisk/agi-bin..done
Checking for upgrades..No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfully
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfully
file/directory: /var/www/html/admin/modules/framework/libfreepbx.install.php removed successfully
Module framework successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Download complete
Finished upgrading Framework! Please re-run the check.

Everything seem to be working but i can not log in to my Freepbx administration page its says my username and pass word is invalid i have check my amportal.conf and my User Portal Admin Username and password are the same

Any help would be greatly appreciated

You didn’t paste the full output of the program. At the end it tells you your new admin username and password.

http://wiki.freepbx.org/display/L1/amportal+commands#amportalcommands-Unlock

I ran the security patch as specified, but it appears that overnight the mcknight exploit came back. I also get output saying “*** File (/usr/sbin/amportal is missing! ****”

[root@localhost ~]# ./fpbxseccheck.phar --clean --redownload

Starting integrity check…
Clean defined, Will attempt to clean anything thing bad up
Redownload defined, will attempt to redownload where needed
Checking Framework for a valid signature…
Framework appears to be good
Cleaning up exploit ‘mgknight’
Purging PHP Session storage
Done
Moving potentially compromised file /etc/asterisk/manager_custom.conf to /tmp/freepbx_quarantine/manager_custom.conf
Moving potentially compromised file /etc/asterisk/sip_custom.conf to /tmp/freepbx_quarantine/sip_custom.conf
Moving potentially compromised file /etc/asterisk/extensions_custom.conf to /tmp/freepbx_quarantine/extensions_custom.conf
Cleaned potential ‘mgknight’ exploit. Please check your system for any suspicious activity. This script might not have removed it all!
Checking FreePBX ARI Framework
FreePBX ARI Framework is uninstalled but the folder exists, removing it
Finished with FreePBX ARI Framework
Now Verifying all FreePBX Framework Files
*** File (/usr/sbin/amportal) is missing! ****
/usr/sbin/amportal has been modified!
Framework file(s) have been modified, re-downloading
Downloading Framework
–2014-10-17 08:23:57-- “pbx mirror”
Resolving mirror1.freepbx.org… 162.253.134.144
Connecting to mirror1.freepbx.org|162.253.134.144|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3418502 (3.3M) [application/octet-stream]
Saving to: “/var/www/html/admin/modules/_cache/framework-2.11.0.38.tgz”

100%[===================================================================================================================================================================================================>] 3,418,502 1.30M/s in 2.5s

2014-10-17 08:23:59 (1.30 MB/s) - “/var/www/html/admin/modules/_cache/framework-2.11.0.38.tgz” saved [3418502/3418502]

Downloading 3418502 of 3418502 (100%)

Untaring…Done
Module framework successfully downloaded
installing files to /var/www/html…done
installing files to /var/lib/asterisk/bin…done
installing files to /var/lib/asterisk/agi-bin…done
Checking for upgrades…No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfully
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfully
file/directory: /var/www/html/admin/modules/framework/libfreepbx.install.php removed successfully
Module framework successfully installed

SETTING FILE PERMISSIONS
chown: cannot access /var/www/html/recordings': No such file or directory chmod: cannot access /var/www/html/recordings’: No such file or directory
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Download complete
Finished upgrading Framework! Please re-run the check.
[root@localhost ~]# amportal a ma upgradeall

Fetching FreePBX settings with gen_amp_conf.php…

no repos specified, using: [standard,extended,unsupported,commercial] from last GUI settings

Up to date.

SETTING FILE PERMISSIONS
chown: cannot access /var/www/html/recordings': No such file or directory chmod: cannot access /var/www/html/recordings’: No such file or directory
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
[root@localhost ~]# asterisk -rx ‘dialplan reload’
Dialplan reloaded.
[root@localhost ~]# asterisk -rx ‘manager reload’
[root@localhost ~]# asterisk -rx ‘manager reload’^C
[root@localhost ~]#