AudioCodes Fax Server and Auto-Attendant IVR Insecure Service Control Scripts Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in AudioCodes Fax Server and Auto-Attendant IVR appliances, all versions prior to and including 2.6.23. The issue arises from a web administration component that manages back-end Windows services via helper batch scripts. These scripts, located in the 'C:\F2MAdmin\F2E\AudioCodes_files\utils\Services' directory, are writable by any authenticated local user due to overly permissive access control lists. When certain service actions are requested through 'ajaxPost.php', the modified scripts are executed by PHP using the 'system()' function, under the NT AUTHORITY\SYSTEM account. This allows users to replace the script contents with arbitrary commands, which are then executed as SYSTEM during the next service start or stop operation, enabling elevation of local privileges.

Impact

Exploitation of this vulnerability allows authenticated local users to gain elevated privileges, executing commands with SYSTEM rights.