CVE-2024-29185
📋 TL;DR
FreeScout versions before 1.8.128 contain an OS command injection vulnerability in the tools.php file that allows authenticated attackers with the App_Key to execute arbitrary commands on the server. This can lead to complete server compromise, including data theft and system takeover. All FreeScout deployments using vulnerable versions are affected.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attacker to execute arbitrary commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Server compromise leading to data exfiltration (database, files, credentials) and potential ransomware deployment.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though server integrity would still be compromised.
🎯 Exploit Status
Exploitation requires knowledge of the App_Key, which raises the barrier but doesn't prevent determined attackers. The advisory includes demonstration of successful exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.128
Vendor Advisory: https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-7p9x-ch4c-vqj9
Restart Required: Yes
Instructions:
1. Backup your FreeScout installation and database. 2. Update to version 1.8.128 via the built-in updater or manual installation. 3. Restart the web server (Apache/Nginx) and PHP-FPM if applicable. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict access to tools.php
allBlock access to the vulnerable endpoint using web server configuration or WAF rules.
# Apache: RewriteRule ^/public/tools\.php$ - [F]
# Nginx: location ~ /public/tools\.php$ { deny all; }
Rotate App_Key
linuxGenerate a new App_Key to invalidate any potentially compromised keys.
php artisan key:generate
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FreeScout servers from critical infrastructure
- Deploy a web application firewall (WAF) with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if /public/tools.php exists and if the version is below 1.8.128. Review logs for suspicious access to tools.php.Check Version:
grep -r "APP_VERSION" /path/to/freescout/config/app.phpVerify Fix Applied:
Verify version is 1.8.128 or higher and test that command injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /public/tools.php
- Commands like 'cat /etc/passwd', 'whoami', or 'id' in URL parameters
- Multiple failed authentication attempts followed by tools.php access
Network Indicators:
- Unusual outbound connections from FreeScout server
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="web_access.log" AND (url="/public/tools.php" OR url LIKE "%/public/tools.php%") AND (param="php_path" OR param LIKE "%php_path%")