FreePBX callmenum Remote Code Execution

Added: 05/02/2012
BID: 52630
OSVDB: 80544

Background

FreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk.

Problem

FreePBX fails to properly sanitize user-supplied input passed to 'callmenum' parameter in recordings/misc/callme_page.php when 'action' is set to 'c'. This can be exploited to execute arbitrary code.

Resolution

Apply the patch from the FreePBX SVN repository, or from the support ticket.

References

http://www.freepbx.org/trac/ticket/5711
http://seclists.org/fulldisclosure/2012/Mar/234

Limitations

This exploit has been tested against FreePBX 2.9.0.7 on CentOS 5.7 Linux. The exploit will brute-force extension numbers if one is not provided, but the call must be answered for the attack to succeed.

Platforms

Linux

Back to exploit index