Timeline

Description

A SQL Injection vulnerability was discovered in the Cisco Unified Call Manager (UCM) administrator portal. An authenticated user can utilize this vulnerability to enumerate the entire database that is used by Cisco UCM. This includes any secrets, such as password hashes.

Technical Details

The SQL Injection issue was found in several areas of the application. Below is a URL that was used to discover the first injection point. The GET parameter “whereClause” contained the SQL Injection payload:

https://<cucm_admin_portal>/ccmadmin/userGroupFindList.do?searc hLimVal3=&searchLimVal4=&whereClause=1=1 AND (select ascii(subs tring(tabname from 1 for 1)) FROM systables where tabid = 1) > 64&searchLimVal1=&searchLimVal2=&searchLimVal7=&searchLimVal8=& searchLimVal5=&search LimVal6=&rowsPerPageControl=/ccmadmin/use rGroupFindList.do?lookup=true&colCnt=4&searchLimVal0=&lookup=tr ue&rowsPerPage=50&searchLimVal9=&pageNumber=1&recCnt=37&multipl e=true

The above SQL statement can be broken down into the following:

• “1=1 AND” - establishes a true statement and forces the underlying SQL query to include the proceeding SQL statement.
• “select asci(substring(tabname from 1 for 1)) FROM systables where tabid = 1” - In Informix SQL, all table names, called “tabname”, are kept in a table called “systables” and are assigned a unique ID value, “tabid”. This portion of the SQL statement looks for the first table name, looks at the first letter of the name and converts the value to the equivalent ASCII character value.
• ”> 64” - evaluates if the ASCII character value generated from the preceding SQL statement is greater than 64.

This SQL Injection was classified as a Blind Boolean injection, with server’s response size dependent on if the injected SQL statement returns a true or false response. By going through each letter, it is possible to enumerate the underlying tables, columns and entries.

Multiple Injection Points

The above SQL Injection point was discovered and verified with the tool SQLMap, and the backend database was confirmed to be Informix. After the initial discovery, several other injection points, undetectable by SQLMap, were manually discovered.

After the initial disclosure to Cisco, their internal team also verified additional SQL Injection points throughout the application.

Custom Tool Exploitation

As stated, SQLMap could be used to discover and verify the above Informix SQL Injection point. However, SQLMap could not be used to do the following:

• Extract contents of the underlying database
• Discover or confirm any other SQL Injection point within the application

F-Secure created some scripts that can be used to fully exploit this issue. It relies on the above SQL Injection point, but the scripts can be modified to work with any other SQL Injection point.

• The scripts are available here: https://github.com/FSecureLABS/Cisco-UCM-SQLi-Scripts
• A description on how F-Secure fully exploited this issue is available here: https://labs.f-secure.com/blog/uncommon-sql-database-alert-informix-sql-injection

Remediation and Mitigation

At the time of this advisory’s posting, Cisco is working on releasing the following patches to the UCM application that will resolve this issue:

• UCM version 11.5.2SU7
• UCM version 12.5.1SU2

If upgrading UCM to the above versions is not possible, the following mitigations are recommended:

• Use UCM’s LDAP login feature to manage who can login into UCM
• Audit the current list of users who can login into UCM
• Monitor network traffic to/from the UCM application to see if this vulnerability is being exploited