AudioCodes Fax Server and Auto-Attendant IVR Authenticated Command Injection Vulnerability

A command injection vulnerability has been identified in AudioCodes Fax Server and Auto-Attendant IVR appliances, in versions up to and including 2.6.23. This vulnerability arises in the license activation process, specifically within the 'ActivateLicense.php' file. When a license file is uploaded, the application creates a new filename by merging a generated base name with the extension of the uploaded file, which can be manipulated by the attacker. The application then constructs a command line for 'fax_server_lic_cmdline.exe' that includes this path. However, the extension is added to the command without proper input validation, escaping, or quotation, before being executed via the 'exec()' function. As a result, an authenticated user with access to the license upload feature can upload a file with a carefully crafted filename that injects additional shell metacharacters, leading to the execution of arbitrary commands with 'NT AUTHORITY\SYSTEM' privileges.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with injected commands executed as 'NT AUTHORITY\SYSTEM'.