FreePBX Remote Code Execution Vulnerability in API Module

A remote code execution vulnerability has been identified in FreePBX version 16, within the API module. This vulnerability allows authenticated attackers with valid session credentials to execute arbitrary commands. Exploitation involves sending crafted POST requests to the 'generatedocs' endpoint, injecting malicious bash commands that can be executed on the server, potentially leading to unauthorized remote shell access.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where FreePBX is installed.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'generatedocs' endpoint of the FreePBX API module. The request must include a payload that injects a bash command into the 'scopes' parameter. This can be done using a tool like curl or through a web application that allows for the manipulation of HTTP requests. The injected command will be executed on the server, and if successful, will establish a reverse shell connection to the attacker's specified IP address and port.