CVE-2014-7235
published 2014-10-07CVE-2014-7235: htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.99%
98.6th percentile
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| freepbx | freepbx | — | — |
| sangoma | freepbx | <= 2.9.0.8 | — |
| sangoma | freepbx | — | — |
| sangoma | freepbx | — | — |
| sangoma | freepbx | — | — |
| sangoma | freepbx | — | — |
| sangoma | freepbx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}}↗
cookieari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "");'↗
- →Detect PHP unserialize exploitation via the `ari_auth` cookie: look for HTTP requests to /recordings/index.php containing an `ari_auth` cookie value beginning with a PHP serialized object prefix (e.g., 'O:8:"DB_mysql"'). ↗
- →Detect Shellshock-style payload chained with CVE-2014-7235: look for `ari_lang` cookie values containing the Bash function syntax `() { :;};` followed by PHP code execution. ↗
- →Monitor for creation or access of the web shell drop path /recordings/misc/audio.php on FreePBX/Asterisk servers, which is the attacker-written backdoor file. ↗
- →Alert on deletion of page.framework.php on FreePBX systems, as the exploit payload explicitly unlinks this file as part of the attack chain. ↗
- ·The PoC targets localhost (127.0.0.1); in real-world exploitation the target host will differ. Detection rules should not be scoped to loopback addresses only. ↗
- ·CVE-2014-7235 affects FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5; detections are only relevant against these unpatched version ranges. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7pc8-wp58-mr3p: htdocs_ari/includes/login
ghsa_unreviewed·2022-05-13
CVE-2014-7235 [HIGH] CWE-94 GHSA-7pc8-wp58-mr3p: htdocs_ari/includes/login
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
VulnCheck
freepbx FreePBX Improper Control of Generation of Code ('Code Injection')
vulncheck·2014·CVSS 10.0
CVE-2014-7235 [CRITICAL] freepbx FreePBX Improper Control of Generation of Code ('Code Injection')
freepbx FreePBX Improper Control of Generation of Code ('Code Injection')
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
Affected: freepbx FreePBX
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2014-7235; https://nvd.nist.gov/vuln/detail/CVE-2014-7235; https://www.cve.org/CVERecord?id=CVE-2014-7235
No detection rules found.
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.htmlhttp://secunia.com/advisories/61601http://www.securityfocus.com/bid/70188https://exchange.xforce.ibmcloud.com/vulnerabilities/96790https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836https://www.exploit-db.com/exploits/41005/http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.htmlhttp://secunia.com/advisories/61601http://www.securityfocus.com/bid/70188https://exchange.xforce.ibmcloud.com/vulnerabilities/96790https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836https://www.exploit-db.com/exploits/41005/
2014-10-07
Published
Exploited in the wild