Path traversal in 3cx.

We constantly choose some well known apps to take a closer look here in the lab. Besides the learning factor we take joy in attacking and observing different plataforms. 3CX was the target this time.

3CX is an open source PABX IP based on software that offers complete unified communication, out of the box. It grants you easy and ‘plug and play’ PABX installation, management and upkeep which in some sort of way made it a widely used by clients such as: Pepsi, Schlumberger, American Express amongst others. We utilized 3CX version 15.5.6354.2 server for windows and during analisys it was Identified a Path traversal.

Browsing through the aplication we found the option ‘Recordings’:

In the ‘Downloads’ we have the option to download, while analysing the requests we can observe the following path “/api/RecordingList/download?file=". As a POC I was trying to access the file 3cxPhoneSystem.ini. I tryed several different ways to explore a Path Traversal but without success.

Looking closer to the application in the tab ‘location’ we have the path where the sound files are stored in the server:

So I thought ‘will the application accept if I point it to windows root directory ? Will I be able to se the files stored there?’

Well, the application accepted it, did not show any files but returning to the tab ‘Downloads’ (“/api/RecordingList/download?file=”), and SUCCESS!! It was possible to acces files from the server ;)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7654