Issabel PBX 4.0.0 allows a logged in user to use asterisk_cli console to create files with xmldoc and dump commands.
This allows to execute remote commands based on the name of the uploaded files abusing restore.php file.
This PoC script is based on this PoC Video.
$ python3 Issabel_PBX_Authenticated_RCE.py -u <user> -p <password> -t <ip-address> -c <UNIX command>
For example:
$ python3 Issabel_PBX_Authenticated_RCE.py -u 'johncena' -p 'ucantseem3' -t 'https://10.10.10.10' -c 'id'
- This will create a file located at
/var/www/backupcalledx|<command>. It is suggested to remove all those files after testing. - Commands that are too long might not be executed.
This script was tested on Issabel PBX 4.0.0.
More CVE-2024-0986 info:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0986
- https://github.com/advisories/GHSA-v9pc-9fc9-4ff8
- https://www.opencve.io/cve/CVE-2024-0986
The owner of this repository is not responsible for the usage of this software. It was made for educational purposes only.
- MIT