CVE-2012-4869
published 2012-09-06CVE-2012-4869: The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via…
PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.25%
99.3th percentile
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sangoma | freepbx | <= 2.10 | — |
| sangoma | freepbx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to /recordings/misc/callme_page.php with 'action=c' and CRLF injection sequences (%0D%0A) in the callmenum parameter, particularly containing 'Application:%20system' and 'Data:' strings indicating Asterisk AMI command injection. ↗
- →The exploit injects CRLF sequences into the callmenum parameter to manipulate the Asterisk Manager Interface (AMI) Originate command, injecting 'Application: system' and 'Data: <cmd>' headers. Monitor for %0D%0A or literal CRLF in callmenum GET parameter values. ↗
- →The exploit payload uses a Perl reverse shell via 'perl -MIO -e' executed through the injected AMI system application. Monitor for perl reverse shell process spawned by the asterisk user (uid=100, gid=101). ↗
- →Post-exploitation privilege escalation on Elastix uses 'sudo nmap --interactive' followed by '!sh' to obtain root. Monitor for nmap spawning a shell (child process /bin/sh) from the asterisk user. ↗
- →The Metasploit module brute-forces extension numbers in a configurable range (default 0-100) via sequential GET requests. Detect rapid sequential requests to callme_page.php with incrementing numeric prefixes in the callmenum parameter. ↗
- ·Exploitation requires the call to be answered or go to voicemail; a live or voicemail-enabled extension must exist on the target system for the injected AMI Originate command to execute. ↗
- ·The vulnerability is pre-authenticated — no credentials are required to exploit it, as the callme_page.php endpoint does not enforce authentication before processing the callmenum parameter. ↗
- ·The exploit was tested and confirmed on both Elastix and FreePBX ISO image installs, meaning detection rules should cover both deployment types. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vmpf-f73j-fg6v: The callme_startcall function in recordings/misc/callme_page
ghsa_unreviewed·2022-05-13
CVE-2012-4869 [HIGH] CWE-94 GHSA-vmpf-f73j-fg6v: The callme_startcall function in recordings/misc/callme_page
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
VulnCheck
Sangoma FreePBX Improper Control of Generation of Code ('Code Injection')
vulncheck·2012·CVSS 7.5
CVE-2012-4869 [HIGH] Sangoma FreePBX Improper Control of Generation of Code ('Code Injection')
Sangoma FreePBX Improper Control of Generation of Code ('Code Injection')
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
Affected: Sangoma FreePBX
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
Exploit PoC: https://vulncheck.com/xdb/64d68e7469bc
No detection rules found.
Exploit-DB
FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit)
exploitdb·2012-03-24
CVE-2012-4869 FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit)
FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution',
'Description' => %q{
This module exploits FreePBX version 2.10.0,2.9.0 and possibly older.
Due to the way callme_page.php handles the 'callmenum' parameter, it
is possible to inject code to the '$channel' variable in function
callme_startcall in order to gain remote code execution.
Please note in order to use this module properly, you must know the
extension number, which can be enumerat
Exploit-DB
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution
exploitdb·2012-03-23
CVE-2012-4869 FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution
---
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
#####################################
Exploit-DB
FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities
exploitdb·2012-03-22
CVE-2012-4870 FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities
FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities
---
Product: FreePBX
Version: 2.10.0, 2.9.0 and perhaps earlier versions
Type: Remote Command Execution, XSS
Release Date: March 14, 2012
Vendor Notification Date: Jun 12, 2011
Author: Martin Tschirsich
Overview:
A remote command execution vulnerability and some XSS in current and earlier
FreePBX versions due to missing input sanitization.
FreePBX is a popular implementation (500,000 active phone systems) of
Asterisk (telephony software) based around a web-based configuration
interface and other tools. Some of these installations are on a public IP
address.
Proof of Concept:
RCE:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER]@from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A
XSS (2.9
Metasploit
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
metasploit
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
This module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.htmlhttp://seclists.org/fulldisclosure/2012/Mar/234http://secunia.com/advisories/48463http://www.exploit-db.com/exploits/18649http://www.exploit-db.com/exploits/18659http://www.freepbx.org/trac/ticket/5711http://www.securityfocus.com/bid/52630https://exchange.xforce.ibmcloud.com/vulnerabilities/74174http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.htmlhttp://seclists.org/fulldisclosure/2012/Mar/234http://secunia.com/advisories/48463http://www.exploit-db.com/exploits/18649http://www.exploit-db.com/exploits/18659http://www.freepbx.org/trac/ticket/5711http://www.securityfocus.com/bid/52630https://exchange.xforce.ibmcloud.com/vulnerabilities/74174
2012-09-06
Published
Exploited in the wild