CVE-2019-11409
published 2019-06-17CVE-2019-11409: app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.48%
99.7th percentile
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fusionpbx | fusionpbx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to /app/operator_panel/exec.php with a 'cmd' parameter containing 'bg_system' or 'system' — these are the FreeSWITCH event socket commands used to achieve command injection. ↗
- →Alert on HTTP responses from exec.php containing the string 'access denied' as a negative indicator; absence of this string with a 200 response confirms successful exploitation. ↗
- →Detect XMLHttpRequest calls originating from the operator panel page to exec.php with a 'cmd' parameter — this is the XSS-to-RCE pivot pattern. ↗
- →Flag POST requests to /core/user_settings/user_dashboard.php followed immediately by GET requests to /app/operator_panel/exec.php from the same session — this is the login-then-exploit sequence used by the Metasploit module. ↗
- →The exploit requires operator_panel_view or administrator permissions; audit FusionPBX user accounts with these roles as a hardening measure. ↗
- ·Exploitation requires authentication; the attacker must have valid credentials with at least 'operator_panel_view' permissions. Unauthenticated exploitation is only possible when chained with the XSS (CVE-2019-11408) to steal a session cookie. ↗
- ·The Metasploit module defaults to SSL on port 443; detections should cover both HTTP and HTTPS traffic to the target paths. ↗
- ·The standalone PoC exploit (EDB-46985) chains CVE-2019-11408 (XSS) with CVE-2019-11409 (command injection) and does not require prior authentication — it injects the XSS via a SIP INVITE on port 5080 to steal operator session and then calls exec.php. ↗
- ·Bad characters in payloads are null byte, newline, carriage return, single quote, and backslash — payload encoding must account for these when crafting custom detections. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FusionPBX - Operator Panel exec.php Command Execution (Metasploit)
exploitdb·2019-11-20
CVE-2019-11409 FusionPBX - Operator Panel exec.php Command Execution (Metasploit)
FusionPBX - Operator Panel exec.php Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'FusionPBX Operator Panel exec.php Command Execution',
'Description' => %q{
This module exploits an authenticated command injection vulnerability
in FusionPBX versions 4.4.3 and prior.
The `exec.php` file within the Operator Panel permits users with
`operator_panel_view` permissions, or administrator permissions,
to execute arbitrary commands as the web server user by sending
a `system` command to the FreeSWITCH event socket interface.
This module has been tested successfully on FusionPBX version
4.4.1 on Ubuntu 19.04 (x64).
},
'License' => MSF_LICENSE,
'Au
Exploit-DB
FusionPBX 4.4.3 - Remote Command Execution
exploitdb·2019-06-12·CVSS 6.1
CVE-2019-11408 [MEDIUM] FusionPBX 4.4.3 - Remote Command Execution
FusionPBX 4.4.3 - Remote Command Execution
---
# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS
# Date: 06-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://www.fusionpbx.com
# Software Link: https://https://github.com/fusionpbx/fusionpbx
# Version: <= 4.4.3
# Tested on: Debian 8.11
# CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE)
#!/usr/bin/python
import socket, sys
from random import randint
from hashlib import md5
# Exploitation steps:
#
# 1. First, encode an XSS payload that will be injected into the
# “Caller ID Number” field, or “User” component of the SIP
# “From” URI.
# 2. Connect to external SIP profile port and send a SIP INVITE
# packet with XSS payload injected into the From Field.
# 3. XSS payload will fire operator pa
Metasploit
FusionPBX Operator Panel exec.php Command Execution
metasploit
FusionPBX Operator Panel exec.php Command Execution
FusionPBX Operator Panel exec.php Command Execution
This module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior. The `exec.php` file within the Operator Panel permits users with `operator_panel_view` permissions, or administrator permissions, to execute arbitrary commands as the web server user by sending a `system` command to the FreeSWITCH event socket interface. This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153256/FusionPBX-4.4.3-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/155344/FusionPBX-Operator-Panel-exec.php-Command-Execution.htmlhttps://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.htmlhttps://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611http://packetstormsecurity.com/files/153256/FusionPBX-4.4.3-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/155344/FusionPBX-Operator-Panel-exec.php-Command-Execution.htmlhttps://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.htmlhttps://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611
2019-06-17
Published