VICIDIAL Blind SQL Vulnerability

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

VICIDIAL Blind SQL Vulnerability

Postby mmixx » Tue Sep 24, 2013 4:21 pm

Today, at around 4am PH time. We at GOautodial had encountered an intrusion on our server. Someone was using blind SQL injection on our website. Good thing one of our NOC noticed that our Inbound Group and DID lists were empty and was replaced with SQL queries and ASP functions (attached are screenshots of our vicidial DID list page).

http://imageshack.us/photo/my-images/547/v44z.png/
http://imageshack.us/photo/my-images/833/dkog.png/

After we renamed the vicidial folder, the SQL injection attacks stopped.

Below are the links that we found when searching for clues.
http://cxsecurity.com/issue/WLB-2012090093
http://www.exploit-db.com/exploits/8755/
http://www.securityspace.com/smysecure/ ... 1.0.900916
-=( M m i x X )=-

GoAutoDial Inc.
Empowering the Next Generation Contact Centers
http://www.goautodial.com
mmixx
 
Posts: 33
Joined: Wed Jan 21, 2009 11:36 am
Location: Manila

Re: VICIDIAL Blind SQL Vulnerability

Postby mflorell » Wed Sep 25, 2013 5:16 am

Vicidial svn/trunk eliminated these issues a while ago. This is not a problem if you are using recent svn/trunk vicidial.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIDIAL Blind SQL Vulnerability

Postby DomeDan » Wed Sep 25, 2013 5:45 am

unfortunately not

domedan@host:/usr/local/src/vicidial/trunk$ svn up
Är på revision 2022.
domedan@host:/usr/local/src/vicidial/trunk$ egrep -e '\$user|\$agent' www/vicidial/AST_agent_time_sheet.php #removed a few unnecessary lines
if (isset($_GET["agent"])) {$agent=$_GET["agent"];}
elseif (isset($_POST["agent"])) {$agent=$_POST["agent"];}
$user=$agent;
$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$user, $query_date, $end_date, $shift, $file_download, $report_display_type|', url='$LOGfull_url';";


I guess the other vulnerabilities is still in trunk too:
http://cxsecurity.com/issue/WLB-2012090093 wrote:site.com/AST_agent_time_sheet.php?agent=some-agent' and sleep(15)='&calls_summary=1&query_date=2012-09-07
site.com/AST_timeonVDADall.php?adastats=1&DB=0&groups[]=1345' and sleep(15)='&RR=4
site.com/vicidial_demo/user_stats.php?user=2000' and sleep(10)='

XSS :

site.com/admin_search_lead.php?alt_phone_search=&DB=1&first_name=lskkuuaj&last_name=lskkuuaj&lead
_id=1&list_id=1&log_lead_id=1&log_phone=555-666-0606&phone=555-666-0606&status=1&submit=SUBMIT&a
mp;user=[XSS]&vendor_id=1
site.com/user_stats.php?user=[XSS]
--------------
HTTP Prameter plution:

site.com/./user_stats.php?user=shtuasvb&begin_date=2012-09-07&end_date=2012-09-07{HTPP}
example : /user_stats.php?user=shtuasvb&begin_date=2012-09-07&end_date=2012-09-07&hadi685=sep148

site.com/admin.php?ADD=3&user=someuser{HTPP}
example : ./admin.php?ADD=3&user=hadi&sep18=tell15


The blind sql injection on DID is interesting, where do they execute them? is it sip invites on port 5060 or is it on the web-server?
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: VICIDIAL Blind SQL Vulnerability

Postby mflorell » Wed Sep 25, 2013 6:51 am

Just to note, none of those will work unless you have a valid administrative user through HTTP authentication. And for several months the code has been in svn/trunk that prohibits brute force auth attacks.

Of course, if you have a valid admin account, you can do a lot more damage than with an SQL attack.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIDIAL Blind SQL Vulnerability

Postby DomeDan » Wed Sep 25, 2013 7:05 am

True, still serious if a manager goes berserk or if the input is bad, just a comma would create a error with the query.
Or a agent could play a little bobby tables:
Image
All input should be sanitized in my opinion.

But what about the DID blind sql injection?
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: VICIDIAL Blind SQL Vulnerability

Postby mflorell » Wed Sep 25, 2013 8:17 am

Sanitizing all input in every script would take a very long time to implement, but we have taken care of the most vulnerable ones.

If your Manager goes berserk, you will have much bigger problems, since they could effectively delete everything in your system anyway.

As for DID SQL injection attacks, haven't heard of that one yet, but it shouldn't be too hard to clean the extension of quotes, spaces and semi-colons, without which SQL injection attacks are not possible. Only a few AGI scripts need to be altered to do this. I'll see if I can add that this morning.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIDIAL Blind SQL Vulnerability

Postby DomeDan » Wed Sep 25, 2013 8:37 am

mmixx: dude, post your apache access_log for this!
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: VICIDIAL Blind SQL Vulnerability

Postby mflorell » Wed Sep 25, 2013 8:42 pm

Just added fixes for those documented SQL injection attack issues(which you have to be a manager to execute)

I also added some new DID SQL injection attack filters as well, those were tricky to test, but they do work.

These are now committed in svn/trunk and are tested in production with live calls.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIDIAL Blind SQL Vulnerability

Postby dspaan » Fri Nov 29, 2013 4:34 am

I just came across this blog post. http://adamcaudill.com/2013/10/23/vicid ... abilities/
Is it true that vicidial hosting clients are on a newer version then the latest SVN trunk?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: VICIDIAL Blind SQL Vulnerability

Postby DomeDan » Fri Nov 29, 2013 5:07 am

Just looked at one of the issues that Adam Caudill posted "$server_ip in agc/manager_send.php"
this is from the svn trunk:
2013-06-15 16:08 mattf Added several security changes to the agent interface,
+$session_name = preg_replace("/\'|\"|\\\\|;/","",$session_name);
+$server_ip = preg_replace("/\'|\"|\\\\|;/","",$server_ip);

So it was fixed 2013-06-15
I guess that Adam looks at the sourceforge page for the latest code, because there the last release is astguiclient_2.7rc1.zip from 2013-05-09

the sourceforge page should probably be updated,
but Adam should be aware of the svn if he is "...a software developer, security researcher & pen-tester"
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: VICIDIAL Blind SQL Vulnerability

Postby mflorell » Fri Nov 29, 2013 10:10 am

Adam is aware, I have had several email conversations with him about this, and he was very helpful. He is aware of the svn/trunk codebase, but in the security world they are focused on releases, which is why the alert was posted in that way.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIDIAL Blind SQL Vulnerability

Postby williamconley » Sat Nov 30, 2013 3:07 am

Also worthy of note is that if you use a whitelist IP system (pure lockdown or managed with something like our Dynamic Good Guys), the access to these vulnerabilities is limited to those IPs which you have approved to have access to your system.

So when these are repaired for everyone ... and a hacker finds another vulnerability ... be sure you're locked down so only your friends have access. Keeping hackers out of that friend group of authorized IPs is also good. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 89 guests