‘FreePBX Recordings Interface Code Execution Vulnerability’

Summary

The configuration interface for FreePBX is prone to a remote arbitrary code execution on the system recordings menu.’

Credit:

‘The information has been provided by Wendel G. Henrique.
The original article can be found at: http://seclists.org/fulldisclosure/2010/Sep/378


Details

Vulnerable Systems:
 * FreePBX version 2.8.0 and below

FreePBX doesn’t handle file uploads in a secure manner, allowing an attacker to manipulate the file extension and the beginning of the uploaded file name.
The piece of code below, found in page.recordings.php, illustrates part of the recordings upload feature.

/* Code removed to fit better on advisory */

<?php
 if (isset($_FILES[‘ivrfile’][‘tmp_name’]) &&
 is_uploaded_file($_FILES[‘ivrfile’][‘tmp_name’])) {
   if (empty($usersnum)) {
     $dest = ‘unnumbered-‘;
   } else {
     $dest = ‘{$usersnum}-‘;
   }
   $suffix = substr(strrchr($_FILES[‘ivrfile’][‘name’], ‘.’), 1);
   $destfilename = $recordings_save_path.$dest.’ivrrecording.’.$suffix;
   move_uploaded_file($_FILES[‘ivrfile’][‘tmp_name’], $destfilename);
   echo ‘<h6>’._(‘Successfully uploaded’).’
     ‘.$_FILES[‘ivrfile’][‘name’].'</h6>’;
   $rname = rtrim(basename($_FILES[‘ivrfile’][‘name’], $suffix), ‘.’);
 } ?>

/* Code removed to fit better on advisory */

When a file is uploaded, a copy is saved temporarily under the /tmp/ directory, where the name of the file is composed of user-controlled-staticname.extension, where:

‘user-controlled’ is $usersnum variable.
‘staticname’ value is -ivrrecording.
‘extension’ is controlled by the user.

If $usersnum variable is not defined, then a static string (unnumbered) is used. Finally, when the user clicks on the save button on the System Recordings interface, the file is saved with the original file name provided by the user under the /var/lib/asterisk/sounds/custom/ directory. When uploading a file, an attacker can manipulate the $usersnum variable to perform a path traversal attack and save it anyplace that the web server user has access, for example the Apache’s DocumentRoot. This allows an attacker to upload malicious code to the web server and execute it under the webserver’s access permissions.

Patch Availability:
The maintainer has released a patch to address this issue for all versions of the software 2.3 and newer. Details of the patch can be found here:
http://www.freepbx.org/trac/ticket/4553

CVE Information:
CVE-2010-3490

Disclosure Timeline:
08/13/10 – Initial contact
08/18/10 – Vulnerability disclosed
09/23/10 – Advisory public release’

Categories: UNIX