Re: VICIDIAL 2.7 - SQL Injection, Command Injection

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2013 12:52 AM, Adam Caudill wrote:
> Requestor: Adam Caudill, adam () adamcaudill com
> <mailto:adam () adamcaudill com> Software: VICIDIAL
> (http://www.vicidial.org/vicidial.php) Vendor: The Vicidial Group
> (http://www.vicidial.com/) Vulnerability Type: Authenticated SQL
> Injection, Authenticated Command Injection
>
> Source Code:
> http://sourceforge.net/projects/astguiclient/files/astguiclient_2.7rc1.zip/download
Flaws exist in /www/agc/manager_send.php
> SQL Injection: Line 285 Command Injection: Line 429
>
> Affected Versions: 2.7RC1, 2.7, 2.8-403a (others likely)
>
> Current released version is vulnerable; vendor confirmed issue on
> 6/3, set timeline for mid-July release, has delayed continually.
> Vendor has deployed fixes to users of their hosted service, still
> no updates or advisory for OSS users.
>
> Affected lines of code:
>
> manager_send.php:285 $stmt="SELECT count(*) from
> web_client_sessions where session_name='$session_name' and
> server_ip='$server_ip';";

Please use CVE-2013-4467 for the SQL injection

> manager_send.php:429 passthru("/usr/local/bin/sipsak -M -O desktop
> -B \"$SIPSAK_prefix$campaign\" -r 5060 -s sip:$extension@$phone_ip
> > /dev/null");


Please use CVE-2013-4468 for the command injection

> In both of these cases, parameters are passed through without
> validation or escaping.
>
> During setup, two accounts with hard-coded passwords are created
> (VDAD, VDCL), these can be used to bypass the authentication check,
> allowing access to where the SQL Injection vulnerability is, which
> can be used to bypass an additional check, thus giving access to
> the Command Injection vulnerability. The output from shell commands
> are returned in the server response.
>
> There are MANY other issues of various types in this software, but
> I am not documenting them.

Security vulns rarely come alone or just in pairs, usually they travel
in packs :P.

> -- Adam Caudill adam () adamcaudill com <mailto:adam () adamcaudill com> 
> http://adamcaudill.com/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSabrmAAoJEBYNRVNeJnmToo8P/286FkhTdcRYLv7rBd35v/Kr
dyH8/BCWDB2OIBdT1wHyuKk7aB15HuxYLb2rPfuqe2c1PlX2o6ebIDu0CsuukBEl
E4G8kUU7eXlsBeF+HHQGyExiz76GtlNn8SRedSQ72Z9D9tnMfqXFDIgM8oZaJvks
mmfy0ldqsvRirT8C0IqjPXuMU8AFOrA2dYTU2A7eUclHmIT+DqJWPgbsA1lorUha
jXKP35IsHN5NjGpJToKOHxxn1aAWTZj5XOIcRuF8yni8EMxxV0ytmubmNAlxmHKz
Ek+PpFejWGrpFGn4yaurcq0MDip3RYdzYKRzr1/N7i1agM33y17UpedSq7WhpEm0
GkCWCectaHCBCAJEkidu144ZSm9t3OEzvTsLoY76RNFepN+8UoZMMpiLcEm3UX2w
nCwiVpamoCMn5ou5KuEhwGrFk7XXfn4b5GPbMXPSbh0B8ZC3v8eDlWiinj3Cv6F3
kbF9l4NT9W0dz3h7Kkd3iqKPrv+pDJ58l/5QaFIgOPmGIKR6qENiRtp0kKSf25L6
lgYp+R1L3lRvDzjZFLOIOX5TrHJi+8UMIaYwwMqyVpA/fddzSnbVaVhleNC0TpeB
jqTGY881xQ7CdLpKXB6MEYPJ6nPRMJoulvmRtR8wWRTQQ44Z1ar1NfuFQcAE7+J0
dnEfFt009+5pk4InyM+6
=BxGQ
-----END PGP SIGNATURE-----