During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in full disclosure by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX. This vulnerability sounded intriguing, and as usual, required verification in the EDB. At first glance, the vulnerability didn’t jump out at us, especially as we are not familiar with the inner workings of asterisk. After a couple of emails back and forth with Martin, the path to code execution became clearer:
The $to paramteter in recordings/misc/callme_page.php does not get sanitized. After a short trip in between various functions, $to ends up written to the Asterisk Management Interface socket.
We quickly whipped up a Metasploit module for this, and gave it a shot.
The exploit worked out of the box for both the FreePBX and Elastix community distributions, given a known extension or username. The malicious URL actually triggers a phone call to the specific extension, and when the call is answered (or goes to voicemail), our payload is executed on the VOIP server.
Interestingly enough, Elastix has the following in its /etc/sudoers file:
This reminded us of a paper we once read (http://www.exploit-db.com/papers/18168/) which discussed a situation exactly like this. By abusing the nmap –interactive command we can easily escalate to root privileges:
The Metasploit module should be released in the next few days. In the meantime, you can check our PoC in the Exploit Database: http://www.exploit-db.com/exploits/18650/
What we found most interesting was Martin’s disclaimer:
The vendor has been contacted and provided with a patch several times since Jun 12, 2011. Since no intention to address this issue was shown, I felt it was in the best interest to disclose the vulnerability.
Lastly, the nerd in us found it pretty awesome that an exploit calls you…If you’re using FreePBX systems…you might want to think twice before answering your phone….