Oastium VoIP PBX SQL Injection Authentication Bypass Leading to Remote Code Execution Vulnerability

A vulnerability in Oastium VoIP PBX versions through 2.1 build 25399 allows authentication bypass via SQL injection in the logon.php script. This exploitation enables attackers to gain administrative access and upload arbitrary PHP code through the importcompany field in import.php. The injected payload is executed with root privileges by reloading the application configuration, resulting in full system compromise.

Impact

Exploitation of this vulnerability leads to remote code execution with root privileges, allowing for complete control over the affected system.

Reproduction

The vulnerability can be reproduced by exploiting the SQL injection in the logon.php script to bypass authentication. After gaining admin access, a PHP payload can be uploaded through the importcompany field in import.php. The uploaded payload is then executed with root privileges by reloading the application configuration, which triggers the execution of the PHP code injected into the config.php file.