Oliveira Lima
Mar 2, 2018 · 2 min read

We constantly choose some well known apps to take a closer look here in the lab. Besides the learning factor we take joy in attacking and observing different plataforms. 3CX was the target this time.

3CX is an open source PABX IP based on software that offers complete unified communication, out of the box. It grants you easy and ‘plug and play’ PABX installation, management and upkeep which in some sort of way made it a widely used by clients such as: Pepsi, Schlumberger, American Express amongst others. We utilized 3CX version 15.5.6354.2 server for windows and during analisys it was Identified a Path traversal.

Browsing through the aplication we found the option ‘Recordings’:

In the ‘Downloads’ we have the option to download, while analysing the requests we can observe the following path “/api/RecordingList/download?file=". As a POC I was trying to access the file 3cxPhoneSystem.ini. I tryed several different ways to explore a Path Traversal but without success.

Looking closer to the application in the tab ‘location’ we have the path where the sound files are stored in the server:

So I thought ‘will the application accept if I point it to windows root directory ? Will I be able to se the files stored there?’

Well, the application accepted it, did not show any files but returning to the tab ‘Downloads’ (“/api/RecordingList/download?file=”), and SUCCESS!! It was possible to acces files from the server ;)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7654

stolabs

STO Labs

Oliveira Lima

Written by

Security researcher

stolabs

stolabs

STO Labs

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade