Grandstream UCM62xx IP PBX Websocket Blind SQL Injection Credential Dump

[jbaines-r7]

Description

This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. As mentioned in my previous UCM62xx pull, there are a number of internet facing PBX still affected by this issue and presumably internal-only systems are even less likely to be patched.

The injection occurs over a websocket at the websockify URI. This is sort of neat from a module writing point of view since there are few (no?) examples of a stand-alone exploit/scanner using the websocket API (this statement could be wrong, but it looks right). That also increases the odds that I did it The Wrong Way™ but I'm sure ya'll will put me on the right path if so. The injection can occur when the user requests a challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attack can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723).

This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.

Final thought: I put this in auxiliary/scanner. I'm not sure that was correct. 🤷

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/scanner/http/grandstream_ucm62xx_sql_account_guess
• set RHOST <ip>
• run
• Verify credentials are discovered

PCAP || GTFO

The default settings has the web interface on 8089 using SSL. However, for the attached pcap I disabled SSL and dropped down to port 8080.

ucm62xx_websocket_blind_users_dump.zip

Video || GTFO

https://www.youtube.com/watch?v=1_k36LMoUoU

[gwillcox-r7]

Final thought: I put this in auxiliary/scanner. I'm not sure that was correct. <- Looks correct to me, as this isn't gaining a shell and is instead just gathering valid usernames and passwords. If it was using that to gain a shell then I'd consider placing that in the exploit module category.

[jmartin-tech]

Given this is an sqlite database consider usage of the library for injections see: #13847

[jmartin-tech]

Suggested change

return

[gwillcox-r7]

On second inspection, it looks that this should be returning using return otherwise we will attempt to exploit a target that we know isn't vulnerable.

[jmartin-tech]

After the refactor this is now called vulnerable_version? should that be check and return CheckCode values? Then it might be possible to use AutoCheck.

[jbaines-r7]

Scanners don't use check, right?

[jmartin-tech]

Sorry I had missed the commend about if scanner was the right place for this, I would suggest based on the functionality that this is more an auxiliary/gather module as it does not really scan for things.

[jbaines-r7]

Following @jmartin-r7's advice, I updated the module to use the sqli mixin which reduced/simplified the code quite nicely. I've update the documentation to show the new output.

[gwillcox-r7]

@jbaines-r7 Sorry for the delay on this whilst I was working on research, will get this reviewed today!

[gwillcox-r7]

Overall looks good but I do have some minor edits and some concern r.e error handling around the WebSocket connections that should be addressed before we land this.

[gwillcox-r7]

Going to go ahead and fix all the minor issues so long, will leave WebSocket issue open though as thats a deeper issue to address.

[jbaines-r7]

As per requests I made the following changes:

• Moved the module to gather
• Implemented Autocheck
• Surrounded websocket logic with a rescue that cleanly terminates the module upon websocket failure.
• Generated a new pcap.

sqli_dump.zip

[gwillcox-r7]

For any future travelers, to decode WebSocket traffic in Wireshark, use the Unmasked data tab at the bottom left of your screen after clicking on a particular packet (should look like WebSocket Text [FIN] [MASKED] in the Info pane) to see the plaintext.

Looking at the PCAP was able to see the initial check using TCP stream 0 and then packets 800 and 801 show the successful and unsuccessful SQL injection attempts showing how it would be possible to blind SQLi and retrieve info.

LGTM, will land this now.

[gwillcox-r7]

Release Notes

A new module has been added which exploits CVE-2020-5724, a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the users table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit's credential database for use in further attacks.