SECURITY gen_amp_conf.php!

Hi alls,

We experienced a very expensive attack.
The method is very simple :

a simpe curl on http:///admin/modules/framework/bin/gen_amp_conf.php gives you all the configuration parameters including the admin password from the web interface. From there, the attackers just have to log on the interface and get an existing sip account and use it to make outbound calls. Even the sip password is chown in plaintext in the extensions tab !! that shouldn’t be.

Why would you have the web interface connected to the Internet without any security?

Over and over we tell people it is not reasonable to expect the administrative interface of a phone system to be secure.

If you still insist on doing this why would you not at least do an htaccess on the web folders?

Don’t start blaming others and fear mongering in the forums because you did not take basic steps to secure your system.

Please ensure that you have upgraded your modules, as this issue was already resolved.

You are surely right, but as the site is protected with password, I expected that it was secure. It is really not the case. This kind of security failure is really one.
Passwords should not be so easily accessibles.

Not sure,

Could you please tell me in wich release this issue has been resolved ?

Thanks,

Fred

It was fixed in 2.9 over a month ago. Make sure you have the most updated core and framework modules.

Thanks for fixing this guys.

This is actually super lame. I am tired of listening to comments which say “you should not put this stuff on the internets”.
Where in the installation process the eager beaver aka the VoIP expert is warned about the dangers of doing so ?

  1. Why FPBX does not, by default, restrict access to the GUI to only RFC1918 networks ? People who want to enable access from the internets should accept a warning which says ‘this software can be exploited by a 5 year old’ , do you still need to enable access ???

  2. The release process should include testing unauthenticated access to all files containing sensitive info. If there was any testing of this kind this costly(for many) exploit would have been prevented.

If you restrict access to internal IPs only than how would people that only allow access through firewalls from trusted IP’s get in. We state in the forums everywhere that the GUI should be not exposed to the whole world. When we find a exploit we fix it.

That file should never have been left their and it was a mistake in 2.9 for over a year before it was reported. One of the good things about being opensource is it allows the community as a whole to also help review code and make sure we have not screwed up on something. All the code is their for everyone to see and review and make changes or recommendations.

Why don’t you put a configurable ACL ? By default it should only include RFC1918. For people who want to opent it more they should be able to add extra IP ranges or open it up completely. All of this should configurable via GUI.

The truth is most of “VoIP experts” have no idea what security risks are involved with PBX deployment on the internet and you are making it extremely easy for them to be left holding a bag with bills for unauthorized calls.

When we find a exploit we fix it.

Unfortunately in this case we have a year worth of deployments of vulnerable boxen. If this does not make you start taking security issues seriously, I do not know what will.

For your amusement please also read this issue: http://www.freepbx.org/trac/ticket/5116 opened 10 months ago, to see how quickly security issues are addressed by the FreePBX team.

For those too lazy to click on the track ticket it has nothing to do with the subject and was a change requested by the author of this post to change the credentials are passed back to FreePBX from the login.

I guess the fact that FreePBX is a volunteer project from non-commercial entities is lost on him and his tone suggests negligence on behalf of the team by not responding to this request. For a bit of level setting the $75,000 Mitel IP PBX uses the same authentication method.

In fact if you really want to debate this please tell me one commercial IP PBX vendor that supports placing the call server on the Public Internet.

If you spend close to a million bones on a Metaswitch all you get is a SOAP/XML interface to build your own front end! Oh sorry you also get TL1. Not only that proprietary IP PBX’s don’t even support NAT traversal. If you want to form SIP B2BUA’s on a Cisco CUCM you have to buy a SIP gateway license for an IOS device.

Obelisk, your posts are mean spirited, devoid of gratitude and wholly nonconstructive. It’s too bad you choose to devote your energy in such a negative direction, clearly you’re a smart guy with a lot to offer.

skyking, could you explain what your relationship to the project is ? I am not sure who you are speaking for.

btw: I just downloaded the latest distro - FreePBX-Distro-Net-32bit-1.88.210.57.iso - and using the process described in the other thread was able to retrieve the admin name and password using unauthenticated access.

I am going to give FreePBX project a week before I post the details on 2/22/2012

well I can promise you the latest Distro does not do this. I get this
The requested URL /admin/modules/framework/bin/gen_amp_conf.php was not found on this server.

We remove the file on install.

Secondly their is no Admin GUI username or password in that file. Their is the MySQL username and if you allow the MySQL root user to login into the GUI than yes you could get in but we do not allow the MySQL username to log into the Distro by default and you would have to go to advanced setting to enable it.

I just tested this on the 1.87.29.55 and 1.88.210.57 releases which are the 2 releases in the last 6 months and neither allow you to go to http://xxx/admin/modules/framework/bin/gen_amp_conf.php and get any info. So not sure why you are stating differently.

I said “using the process described in the other thread” , where I said what should be included in your release process, not this thread. The URL is obviously different this time. It really would be helpful if you could track these issues via CVE, this way pople would not be confused.

EDIT: This actually deserves a separate thread :

http://www.freepbx.org/forum/freepbx/development/security-credentials-disclosure-via-withheld

What other thread are you talking about. This talking in disguise does no good. No where in here do you refer to another thread. You put a link to a Digium forum post that is a year old with no real input from others. You also have a link to a feature request about not passing clear passwords but nothing else here. As we always state your Web GUI of FreePBX should not be exposed to the whole world. This drama is driving me to drink and is getting old.

When I said the other thread, I was referring to this one:

http://www.freepbx.org/forum/freepbx/general-help/ive-been-hacked

The process is simple, generate the list of possible urls by scanning the content of the file system and then hit each one of them looking for sensitive data. The entire process takes less than a minutes and could prevent more snafus.
IOW, highly recommended :wink:

Ok but we got rid of those files in 2.10 and back ported it to 2.9 already. If you want to send me exact details as we keep asking for you know how to reach me. This is getting out of hand and until you send me something with exact steps their is nothing more I can do.

My relationship to the project? I am not sure how to answer that, I have no intention of making public resources I donate. I never want to be accused of using the project to benefit my commercial interests.

I speak for myself. I have admin privs and help with SPAM cleanup and housekeeping.

As far as the threat, that’s exactly the behavior that irritates me. Why do you have to be threatening and confrontational?