Command Injection vulnerabilities in FreePBX Framework

September 9, 2016

FreePBX is an open source web-based Administrative tool to control and manage Asterisk, an implementation of telephone Private Branch eXchange (PBX). It supports various IP telephony protocols to connect telephone services together including the public switched telephone network.

Due improper handling of user uploaded filenames, command injection vulnerability exists in Recording module of FreePBX. After receiving file from user, function convert() from class Media//Media is called. Which calls another convert function from class Media//Driver//Drivers//SoxShell to convert file. The SoxShell class uses Process component from a 3rd party vendor, Symfony to execute sox command in a sub-process. Due to lack of prior validation of file name from user, any malformed file name with injection code could get executed in new sub process. Remote attacker can exploit this vulnerability by injecting commands in file name. Successful exploitation would lead to arbitrary command execution under the security context of the unprivileged user asterisk.

Another SQL injection vulnerability exists in FreePBX due to improper sanitization of display HTTP parameter passed to config.php. After receiving request for /admin/config.php, modulefunctions.class.php is called to construct SQL query using value of display HTTP parameter. The query is later executed by "DB.class.php". Lack of verification of display HTTP parameter allows attacker to construct malicious HTTP request containing SQL commands to alter FreePBX database asterisk. Successful exploitation can lead to execution of maliciously injected SQL statement on the server, which can result in the back-end database data alteration and eventually lead to arbitrary code execution with the privileges of the mysql user.

Dell SonicWALL has researched these vulnerabilities. The following signatures has been created to protect our customers.

  • IPS: 11848 FreePBX Framework Remote Command Execution
  • IPS: 11843 FreePBX Framework SQL Injection