FYI Private LAN App Hacks

[womble1]

is this a hack ?

# Title: Incredible PBX remote command execution exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 1 September 2014
# Coded: 21 October 2014
# Published: 21 October 2014
# MorXploit Research
# http://www.MorXploit.com

 

[tycho]

Is that a link one can click without peril?

 

[rentpbx]

There is a couple notes on the link.

* reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to

* Access to reminders/index.php requires 'maint' password, in the exploit code we have used the default installation password which is XXXXXXXX


If you do not share your maint password, the vulnerability cannot be exploited. You can change PIAF password by typing passwd-master in your ssh console. Let me know if our reading on the hack is wrong.

Please be safe and install TravelinMan3 anyway.

 

[wardmundy]

Telephone Reminders patch has been pushed out to all Incredible PBX servers. All you'll have to do is log out and log back in as root, and the patch will be applied.

As for the vulnerability itself, the notes to the post make clear: "Access to reminders/index.php requires 'maint' password." That is exactly right. Your maint password validated with Apache security has ALWAYS been required to access the web interface to Telephone Reminders with Incredible PBX running under PBX in a Flash. Most Incredible PBX implementations randomize the maint password. Older versions with default password are no longer available from trusted sources. The web interface to Telephone Reminders was never designed for exposure to the Internet!

Suffice it to say, if your maint password has been compromised on any PBX in a Flash server, you've basically sold the farm. It's the functional equivalent of handing out the root password for the FreePBX GUI to the world. Reminders would be the least of your problems! It would provide the ability to compromise your Asterisk setup, your FreePBX configuration, and numerous MySQL databases. In short, your entire server could and probably would be hosed!

For this year's releases of Incredible PBX that do not run under PBX in a Flash and rely instead upon FreePBX security, the IPtables WhiteList firewall configuration of Incredible PBX protects your server from all users except those on your trusted private LAN and those you specifically authorized to access your server. If you have to worry about those users, you need to find a new job or some new friends.

Finally, this exploit assumes you have no hardware or software firewall in place, a circumstance which should NEVER occur! Only in such cases would this exploit give an attacker asterisk user privileges to your server, the same privileges already enjoyed by anyone having access to the FreePBX GUI including the FreePBX Dev Team.

cd /var/www/html/reminders
cp index.php /root/index-oldreminders.php
wget http://incrediblepbx.com/reminder-patch.tar.gz
tar zxvf reminder-patch.tar.gz
rm -f reminder-patch.tar.gz

See also this post on the FreePBX Forum.

 

[wardmundy]

Out of an abundance of caution, we are upgrading the AsteriDex application as well. To reiterate, Telephone Reminders and AsteriDex were designed as PRIVATE LAN APPLICATIONS for use behind a secure firewall. In addition, Telephone Reminders required the maint password for access while AsteriDex required a private LAN IP address. Neither was ever written for or designed for use/access from the Internet! Think of your favorite DOS application, and use these with the same care!

cd /var/www/html
cp -r asteridex4 /root/.
cd asteridex4
wget http://incrediblepbx.com/asteridex-patch.tar.gz
tar zxvf asteridex-patch.tar.gz
rm -f asteridex-patch.tar.gz

 

[wardmundy]

Updates have been pushed out to all Incredible PBX servers. Log in as root to get them.