AudioCodes Fax Server and Auto-Attendant IVR Appliances Command Injection Vulnerability

A command injection vulnerability has been identified in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions through 2.6.23. The issue arises in the fax test functionality, specifically within the TestFax.php file. When a fax 'send' test' is initiated, the application constructs a command line for the fax sender using parameters supplied by the user. This command line is then passed to a function that executes batch files without adequate validation or sanitization of the shell arguments. The executed batch file is run by a backend service with SYSTEM privileges. An authenticated attacker can exploit this vulnerability to execute arbitrary commands with elevated rights. Additionally, local low-privilege users can manipulate pending batch files in the temporary run directory to achieve the same level of access.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with the executed commands running under the SYSTEM account, providing elevated privileges on the affected machine.