Cisco UCM Authenticated Informix SQL Injection
CVE-2019-15972
Description
A SQL Injection vulnerability was discovered in the Cisco Unified Call Manager (UCM) administrator portal. An authenticated user can utilize this vulnerability to enumerate the entire database that is used by Cisco UCM. This includes any secrets, such as password hashes.
Technical Details
The SQL Injection issue was found in several areas of the application. Below is a URL that was used to discover the first injection point. The GET parameter "whereClause" contained the SQL Injection payload:
https://<cucm_admin_portal>/ccmadmin/userGroupFindList.do?searc
hLimVal3=&searchLimVal4=&whereClause=1=1 AND (select ascii(subs
tring(tabname from 1 for 1)) FROM systables where tabid = 1) >
64&searchLimVal1=&searchLimVal2=&searchLimVal7=&searchLimVal8=&
searchLimVal5=&search LimVal6=&rowsPerPageControl=/ccmadmin/use
rGroupFindList.do?lookup=true&colCnt=4&searchLimVal0=&lookup=tr
ue&rowsPerPage=50&searchLimVal9=&pageNumber=1&recCnt=37&multipl
e=true
The above SQL statement can be broken down into the following:
- "1=1 AND" - establishes a true statement and forces the underlying SQL query to include the proceeding SQL statement.
- "select asci(substring(tabname from 1 for 1)) FROM systables where tabid = 1" - In Informix SQL, all table names, called "tabname", are kept in a table called "systables" and are assigned a unique ID value, "tabid". This portion of the SQL statement looks for the first table name, looks at the first letter of the name and converts the value to the equivalent ASCII character value.
- "> 64" - evaluates if the ASCII character value generated from the preceding SQL statement is greater than 64.
This SQL Injection was classified as a Blind Boolean injection, with server’s response size dependent on if the injected SQL statement returns a true or false response. By going through each letter, it is possible to enumerate the underlying tables, columns and entries.
Multiple Injection Points
The above SQL Injection point was discovered and verified with the tool SQLMap, and the backend database was confirmed to be Informix. After the initial discovery, several other injection points, undetectable by SQLMap, were manually discovered.
After the initial disclosure to Cisco, their internal team also verified additional SQL Injection points throughout the application.
Custom Tool Exploitation
As stated, SQLMap could be used to discover and verify the above Informix SQL Injection point. However, SQLMap could not be used to do the following:
- Extract contents of the underlying database
- Discover or confirm any other SQL Injection point within the application
F-Secure created some scripts that can be used to fully exploit this issue. It relies on the above SQL Injection point, but the scripts can be modified to work with any other SQL Injection point.
- The scripts are available here: https://github.com/FSecureLABS/Cisco-UCM-SQLi-Scripts
- A description on how F-Secure fully exploited this issue is available here: https://labs.f-secure.com/blog/uncommon-sql-database-alert-informix-sql-injection
Remediation and Mitigation
At the time of this advisory's posting, Cisco is working on releasing the following patches to the UCM application that will resolve this issue:
- UCM version 11.5.2SU7
- UCM version 12.5.1SU2
If upgrading UCM to the above versions is not possible, the following mitigations are recommended:
- Use UCM’s LDAP login feature to manage who can login into UCM
- Audit the current list of users who can login into UCM
- Monitor network traffic to/from the UCM application to see if this vulnerability is being exploited