Assura Announces Discovery of Two Vulnerabilities in Quicklert for Digium Switchvox

TL;DR

Today Assura is announcing the discovery of two new vulnerabilities in Quicklert for Digium Switchvox. Late in 2021, Assura’s Offensive Security Operations team conducted a penetration test that uncovered two critical severity vulnerabilities in Quicklert for Digium Switchvox Version 10 Build 1043 resulting in two new CVEs, discussed in detail below.

The first vulnerability (CVE-2021-43969) is a blind SQL injection (SQLi) vulnerability that reveals the entirety of the Quicklert database, providing an attacker access to the rest of the web application, irrespective of the fact that portions are gated behind user authentication.

Using the blind SQLi attack specified above to bypass authentication to the web application, we then discovered an Arbitrary File Upload vulnerability (CVE-2021-43970) that resulted in remote code execution (RCE) and ultimately complete takeover of the server. 

Assura conducted responsible disclosure to Quicklert and the vulnerabilities have since been patched in Quicklert for Digium Switchvox Version 10 Build 1051.

Assura urges all Quicklert for Digium Switchvox customers to update to Version 10 Build 1051 or higher.

CVE-2021-43969 

Summary 

NameQuicklert for Digium Switchvox Version 10 Build 1043 – Blind SQL Injection with Out-of-Band Interaction (DNS)
ProductQuicklert for Digium Switchvox
Affected VersionsVersion 10 Build <1051
State Public
Release Date2022-03-01

Vulnerability

TypeSQL Injection
RuleCWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) https://cwe.mitre.org/data/definitions/89.html
RemoteYes
Authentication RequiredNo
CVSSv3 VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H
CVSSv3 Base Score10 (Critical Severity)
Exploit Available No, but manually exploitable
CVE ID(s)CVE-2021-43969 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43969

Description

The ‘uname’ parameter of the login.jsp page for “Quicklert for Digium Switchvox Version 10 Build 1043” is affected by both a blind SQL injection with out-of-band interaction and a time-based SQL injection. The exploitation of this vulnerability requires no prior authentication and results in the complete compromise of confidentiality, integrity, and availability of the underlying SQL database.

Proof-of-Concept

  1. We first escaped the value entered in the ‘uname’ parameter on the login.jsp page to inject code which called back to a DNS server under our control (Burp Collaborator in this case) utilizing the MSSQL function “master.xp_dirtree”, which lists directory contents by default. The DNS server will not be found in a local directory and will result in the server making a request to our DNS server in an attempt to find that address for the master.xp_dirtree function. Note: If you attempt to recreate this exploit, you will need to URL encode the SQL statements as seen in the screenshots below.





    Figure 1: Generic Out of Band SQL Injection with DNS Interaction to Burp Collaborator

  2. After validating that we were receiving DNS requests from the vulnerable server, it was possible to continue using the “master.xp_dirtree” function to exfiltrate data from the server including the database name, admin username, etc., by altering the above command slightly. See the example below where we retrieved the DB_NAME value by adding that additional argument:





    Figure 2: Obtain DB_NAME value via Out of Band SQL Injection with DNS Interaction to Burp CollaboratorWe can see that the DB_NAME value for Quicklert (‘NIPA’ by default) is prepended to the DNS query that we received in the Burp Collaborator tool:

    Figure 3: DB_NAME value “NIPA” Prepended to DNS Request in Burp Collaborator 

  3. We could have continued this process of retrieving data piece by piece from the database through Burp Suite but there is a limitation to the string size which can be retrieved through these types of DNS queries. This led us to utilize time-based SQL injections which use a SLEEP statement to determine when a value does or does not exist based on how long the server takes to respond to a query. This is easily automated using SQLmap.py by saving the Burp Suite request to a file and then using the following command:

    Sqlmap.py -r yourSQLirequesthere.txt -p uname –risk 3 –level 3

    Variations on that command to “dump” database table contents provided us with the usernames and passcodes of every user in the database resulting in access to the web application as a valid user.

Exploit

There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.

Mitigation

Quicklert corrected the sanitization issue in the ‘uname’ parameter in Quicklert Version 10 Build 1051.

Credits

This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.

References

Vendor Pagehttps://quicklert.com/
CVE Descriptionhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43969

Timeline

  • 2021-11-12: Vulnerability discovered 
  • 2021-11-12: Vendor contacted
  • 2021-11-17: CVE #s issued by MITRE
  • 2022-02-22: Vendor confirmed patch
  • 2022-03-07: Public disclosure

CVE-2021-43970 

Summary 

NameQuicklert for Digium Switchvox Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution
ProductQuicklert for Digium Switchvox
Affected VersionsVersion 10 Build <1051
State Public
Release Date2022-03-01

Vulnerability

TypeArbitrary File Upload
RuleCWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.html
RemoteYes
Authentication RequiredYes
CVSSv3 VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
CVSSv3 Base Score9.9 (Critical Severity)
Exploit Available No, but manually exploitable
CVE ID(s)CVE-2021-43970 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970

Description

The ‘audioFile’ parameter of the /quicklert/albumimages.jsp web form in Quicklert for Digium Switchvox Version 10 Build 1043 is vulnerable to arbitrary file upload. This vulnerability allows authenticated (low privilege) attackers to upload malicious files to the server which are then executed when called by the media viewer within the web application. The exploitation of this vulnerability resulted in a complete compromise to the confidentiality, integrity, and availability of the server and served as a jump point into the victim’s DMZ. 

Proof-of-Concept

  1. After being authenticated, we first navigated to the /quicklert/album.jsp page, which allowed us to add a new media album to our test account. After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.


    Figure 4: Quicklert Album “Test” Created


    Figure 5: Quicklert Album File Upload
  2. We then created a Java reverse shell utilizing msfvenom. This payload was saved as “reverse.mp3”
  3. We then uploaded the reverse.mp3 file via /quicklert/albumimages.jps while the interceptor functionality of Burp Suite proxy was running. This allowed us to capture the POST request and make the following modifications:
    1. We renamed the filename from “reverse.mp3” to “reverse.mp3;.jsp”. This ensures that the server recognizes the Java reverse shell as a valid JSP file while bypassing any file extension validations the web application had in place.
    2. Additionally, we added a small piece of the byte-stream from a valid mp3 file by “catting” the file and then pasting the results above the current payload in Burp Suite.

After making these modifications, we released the intercepted request to allow it to POST the payload to the server.

All of this is illustrated below.

Captured POST request before modifications:

Figure 6: File Upload POST Request Captured in Burp Suite Before Modifications

Captured request after modifications:

Figure 7: File Upload POST Request Captured in Burp Suite After Modifications

  1. After the file was posted on the server, we started a Meterpreter listener and then accessed the “reverse.mp3;.jsp” payload on the server. The server interpreted the Java file correctly and created a reverse connection back to us, ultimately resulting in a complete takeover of the server within the victim’s DMZ. 

Figure 8: “Test” album after “reverse.mp3;.jsp” is uploaded.

Figure 9: Resulting web page after clicking “reverse.mp3;.jsp” and the server attempts to open the Java Payload as an mp3 file.

Figure 10: Meterpreter reverse shell opened in Metasploit resulting in system takeover after clicking “reverse.mp3;.jsp”

Exploit

There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.

Mitigation

Quicklert added file-type validation to the i.Album feature within the application to prevent uploading of potentially malicious file types.

Credits

This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.

References

Vendor Pagehttps://quicklert.com/
CVE Descriptionhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970

Timeline

  • 2021-11-12: Vulnerability discovered 
  • 2021-11-12: Vendor contacted
  • 2021-11-17: CVE #s issued by MITRE
  • 2022-02-22: Vendor confirmed patch
  • 2022-03-07: Public disclosure

Assura Recommendations

If you are a Quicklert for Digium Switchvox user, Assura recommends that your organization upgrade to the latest version as soon as possible to avoid potential exploitation. Builds prior to Version 10 Build 1051 should be considered vulnerable based on Assura’s conversations with the vendor. 

If this vulnerability disclosure, has you questioning if Assura can find similar “0-day” vulnerabilities in your environment, we’d love to talk. Feel free to drop us a line at https://assurainc.com/contact/.