FreePBX Credential Disclosure



Have freePBX running on a public IP, and don’t have the latest version? It may be vulnerable.

If you have an asterisk phone server running on a public IP, using the freePBX web GUI, and don’t have one of the latest releases it may be vulnerable.

Its very common to have freePBX on an Internet routed IP, especially if you have multiple locations using the same freePBX server.

And the scary part is, little documentation exists about this vulnerability, and as of right now its not listed on CVE details:

http://www.cvedetails.com/vendor/6470/Freepbx.html

To test, goto the following URL in your browser:

http://yourip/admin/modules/framework/bin/gen_amp_conf.php

Replace yourip with your actual IP, and admin with your admin directory if different.

If you get a 404 you should be protected, if you get a blank page, view source, or download a copy of that page with wget or curl to ensure its blank.

If you see a bunch of code, or entries, then you have a version that is vulnerable. If you look for ARI_ADMIN_USERNAME and ARI_ADMIN_PASSWORD that should match the initial login you had for the admin interface.

This will allow anyone to get in, then they can look at your sip extensions, view the password in plain text, and then connect to your phone server and run up your phone bill.

Typically a hacker will enable international calling and or 900/976 numbers, even if you had them blocked in your outbound routes, allowing them to possibly make your responsible for thousands of dollars in phone calls.

Now lets get into how to block this.

#1 Upgrade to the latest version of freePBX, and the easiest way to do that is by following the instructions here:

http://www.freepbx.org/forum/freepbx-distro/distro-discussion-help/release-versions

Whether you upgrade or not you should harden your server

So #2 restrict access to your phone server to only what IPs absolutely need to access it, if you have phones on dynamic IPs, such as typical DHCP off of an ISP cable or DSL modem, this may not be practical and you may want to allow a block of IPs, or limit it by country.

Most hackers are not from your country, so this will keep a lot of them from finding your server in the first place, now it is possible for them to use a proxy, but a lot of times they won’t take that extra step.

IPs can be easily restricted using IP tables, or a Firewall manager such as the APF firewall available here:

http://www.rfxn.com/projects/advanced-policy-firewall/

#3 Assuming the hacker is using a proxy and you have phones on dynamic IPs, then you can restrict access to the web interface to a a single or few IPs by editing httpd.conf

The section of code you’re looking for is below, and you will want to add an allow line(s) for the IP(s) you want to access the web interface from:

 

…

Options Indexes FollowSymLinks

…

AllowOverride None

#
# Controls who can get stuff from this server.
#
Order deny,allow
allow from 12.34.56.78
deny from all

 

#4 Turn the web server off, you don’t need the web interface up to make or receive phone calls, so you can leave it off and only turn it on when you need to work in it:

service httpd off

#5 Change the httpd port, a hacker can easily find the new port with a port scanner, but this makes them go through yet one more step. You would do that with this line in httpd.conf

Listen 801

Then restart apache.

#6 Test everything to verify you can access the server/web interface and other IPs can’t

#7 Monitor your system continuously, look at the asterisk log to see what extensions, and what IPs are registering:

cat /var/log/asterisk/full |grep Reg

Look at your call logs, make sure there aren’t any unusually high number of calls, and if you have international or 900/976 numbers enabled by your provider look at the logs extra carefully for those.

As you can see a hacker can easily get access to an out of date FreePBX system, however there are enough tips here to find out if your vulnerable, upgrade your system, how to block this type of attack and help block future similar exploits.

<strong>Disclaimer:</strong>

<strong>All information in this advisory is provided on an 'as is' basis in the hope</strong>
<strong> that it will be useful. The author not responsible for any risks or</strong>
<strong> occurrences caused by the application of this information.</strong>

Source:
http://packetstormsecurity.org

Comments are closed.