cbcvebase.
CVE-2014-7235
published 2014-10-07

CVE-2014-7235: htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows…

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.99%
98.6th percentile
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.

Affected

22 ranges
VendorProductVersion rangeFixed in
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
freepbxfreepbx
sangomafreepbx<= 2.9.0.8
sangomafreepbx
sangomafreepbx
sangomafreepbx
sangomafreepbx
sangomafreepbx

Detection & IOCsextracted from sources · hover to see the quote

cookieari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}}
pathhtdocs_ari/includes/login.php
path/recordings/index.php
path/recordings/misc/audio.php
filenamemisc/audio.php
cookieari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "");'
  • Detect PHP unserialize exploitation via the `ari_auth` cookie: look for HTTP requests to /recordings/index.php containing an `ari_auth` cookie value beginning with a PHP serialized object prefix (e.g., 'O:8:"DB_mysql"').
  • Detect Shellshock-style payload chained with CVE-2014-7235: look for `ari_lang` cookie values containing the Bash function syntax `() { :;};` followed by PHP code execution.
  • Monitor for creation or access of the web shell drop path /recordings/misc/audio.php on FreePBX/Asterisk servers, which is the attacker-written backdoor file.
  • Alert on deletion of page.framework.php on FreePBX systems, as the exploit payload explicitly unlinks this file as part of the attack chain.
  • ·The PoC targets localhost (127.0.0.1); in real-world exploitation the target host will differ. Detection rules should not be scoped to loopback addresses only.
  • ·CVE-2014-7235 affects FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5; detections are only relevant against these unpatched version ranges.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.