Command Injection vulnerabilities in FreePBX Framework

FreePBX is an open source web-based Administrative tool to control and manage Asterisk, an implementation of telephone Private Branch eXchange (PBX). It supports various IP telephony protocols to connect telephone services together including the public switched telephone network.

Due improper handling of user uploaded filenames, command injection vulnerability exists in Recording module of FreePBX. After receiving file from user, function convert() from class Media//Media is called. Which calls another convert function from class Media//Driver//Drivers//SoxShell to convert file. The SoxShell class uses Process component from a 3rd party vendor, Symfony to execute sox command in a sub-process. Due to lack of prior validation of file name from user, any malformed file name with injection code could get executed in new sub process. Remote attacker can exploit this vulnerability by injecting commands in file name. Successful exploitation would lead to arbitrary command execution under the security context of the unprivileged user asterisk.

Another SQL injection vulnerability exists in FreePBX due to improper sanitization of display HTTP parameter passed to config.php. After receiving request for /admin/config.php, modulefunctions.class.php is called to construct SQL query using value of display HTTP parameter. The query is later executed by “DB.class.php”. Lack of verification of display HTTP parameter allows attacker to construct malicious HTTP request containing SQL commands to alter FreePBX database asterisk. Successful exploitation can lead to execution of maliciously injected SQL statement on the server, which can result in the back-end database data alteration and eventually lead to arbitrary code execution with the privileges of the mysql user.

Dell SonicWALL has researched these vulnerabilities. The following signatures has been created to protect our customers.

• IPS: 11848 FreePBX Framework Remote Command Execution

• IPS: 11843 FreePBX Framework SQL Injection

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.