Security Disclosure of Vulnerability : CVE-2023–43336

Disclosure Summary

FreePBX version 16.0.26 is vulnerable to privilege escalation. An authenticated least privilege user is able to view details of other user which may include call recordings and other details.

Description
Privilege escalation vulnerabilities allow attackers to impersonate other users, or gain permissions they should not have. These vulnerabilities occur when code makes access decisions on the back of untrusted inputs.
Many websites hold sensitive data on behalf of their users. If an attacker can exploit horizontal escalation vulnerabilities to gain access to another user’s data, you are betraying your users’ trust, which can have reputational, legal, and financial implications.
If an attacker can exploit vertical escalation vulnerabilities to gain
administrative access, they can interrupt critical functions and possibly
compromise your application.

Version We Tested On: 16.0.26

Proof Of Concept:

Step 1: Login to https://example.com/ucp with non-admin user who has access to “Call History” module. Add “Call History” widget to dashboard.

Step 2: Upon adding the widget, several request got triggered. Following is one of the request that got triggered which fetches call history data.

Step 3: Observe that we are able access the module.

Step 4: Now login with admin user and navigate to “User Management”.
Disable the access of “Call History” module.

Step 5: Again login to https://example.com/ucp as non-admin user and observe that user don't have access to “Call History” module.

Step 6: Using the previously captured request of “Call History” having current session(non-admin user), send the request to server and observe that we are able to access the “Call History” module.

Here we were able to access the non-accessible module which is a bypass

Step 7: Using the previously captured request of “Call History”, change the
value of parameter “extension” from “self” to “101” or any existing
extension number. Send the modified request and observe that we are able to fetch call history of other extensions to which we don't have access to.

Instances
1) https://example.com/ucp/ajax.php?module=cdr&command=grid&extension=self&sort=timestamp&order=desc&offset=0&limit=10&_=1681287486402

2) https://example.com/ucp/ajax.php?module=cel&command=grid&extension=self&sort=timestamp&order=desc&offset=0&limit=10&_=1681287486402

Fixed Versions

1. Module cdr: 15.0.18, 16.0.40
2. Module cel : 15.0.16, 16.0.17

Fixed versions are available via the FreePBX and PBXact mirror servers since August 24, 2023

References
1) https://portswigger.net/web-security/access-control
2) https://www.cynet.com/network-attacks/privilege-escalation/
3) https://www.hacksplaining.com/prevention/privilege