Grandstream Networks UCM6200 Series SQLi (Phone Web UI)

2022-05-0500:00:00

www.tenable.com

A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(160530);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-5722");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");

  script_name(english:"Grandstream Networks UCM6200 Series SQLi (Phone Web UI)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is vulnerable and can be compromised");
  script_set_attribute(attribute:"description", value:
"A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can
exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails
in versions before 1.0.20.17. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2020-15");
  script_set_attribute(attribute:"solution", value:
"Update to the fixed version as per the advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5722");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Grandstream UCM62xx IP PBX sendPasswordEmail RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("grandstream_www_detect.nbin");
  script_require_keys("installed_sw/Grandstream Phone");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var port = get_http_port(default:80, embedded:TRUE);
var app_info = vcf::get_app_info(app:'Grandstream Phone', port:port, webapp:TRUE);

# UCM6200 Series Models only. Empty model and paranoid still runs
if (empty_or_null(app_info.model))
{
  if (report_paranoia < 2)
    audit(AUDIT_POTENTIAL_VULN, 'Grandstream device', app_info.version);
  else
    app_info.model = UNKNOWN_VER;
}
else if (app_info.model !~ "UCM62[0-9]{2}($|[^0-9])")
  audit(AUDIT_HOST_NOT, 'an affected Grandstream device');

var constraints = [
  { 'fixed_version' : '1.0.20.17' }
];

vcf::grandstream::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{'sqli':TRUE});