Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2013-10002

A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Authentication is possible with hard-coded credentials. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

CVE
#sql#vulnerability#git#hard_coded_credentials#auth

-----------------------------------------------------------------v1.1- modzero Security Advisory: SAMwin Contact Center Suite - Architectural issues lead to database compromise [MZ-13-06] --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- * 2014-03-13: Advisory will be published. * 2013-09-24: Vendor responded. * 2013-09-20: Vendor has been contacted. --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: Telecommunication Software GmbH Products known to be affected: SAMwin Contact Center Suite 5.1, the SAMwin Agent login mask shows version 5.01.19.06 Severity: High Remote exploitable: Yes The SAMwin Call Center Suite is a SIP-based call center solution, which assists users with various features like call forwarding, skill based routing, a realtime wallboard, reporting and supervisor monitoring. The environment consists of at least one SAMwin Contact Center Suite Server (SAMwin Server) component, a SQL database server and the SAMwin Contact Center Suite Agent (SAMwin Agent). The SAMwin Agent is installed on the call center employee’s desktop computer and provides a configured set of features, based on a role and permission concept configured by the supervisor or an administrator. The SAMwin Server’s core function is SIP-based call handling and routing. The database server acts as datastore and is directly accessed by the SAMwin Server and Agent. The architecture does not use any middleware, which could verify or sanitize communication between the SAMwin Agents and the database. The SAMwinAgent is designed to use hard coded database authentication credentials to connect to the SAMwin database server during startup, prior to any other user authentication. The password is defined and hard coded by the vendor. Therefore, all installations on any customer-site use the same database credentials. No input sanitizing is conducted and no prepared statements are used and, thus, arbitrary SQL command execution is possible via the username field of the login mask. However, an attacker might simply connect directly to the database using the credentials he extracted from the SAMwin binaries. As all the information regarding user-accounts, call routing and interconnection details of the infrastructure is stored in the database, an attacker can gain full control over the SAMwin software that handles calls. Depending on the database configuration hardening, an attacker might be able to gain access to the database server’s operating system as well, to read, write and execute arbitrary files on the filesystem. --------------------------------------------------------------------- 3. Details --------------------------------------------------------------------- The SAMwin Agent is designed to use hard coded database authentication credentials to connect to the SQL database server during startup, prior to any other authentication. To logon to the SAMwin Agent application, the user enters his access credentials into the corresponding fields in the login mask. When a user enters his SAMwin account information into the login screen, SQL queries are sent directly to the database server using hard coded credentials verifying the given username and password against credentials stored in the database. The database credentials can be extracted from the SAMwin Agent by analyzing the SAMwinLIBVB.dll shared library that is usually located under C:\Program Files\contact center suite 5.1\Bin\. The file is available to everyone with access to the SAMwin Agent software. The database connection is initiated a method called getCurrentDBVersion(), which calls generateTransactSql() to obtain the password for the database connection: new SqlConnection( "Data Source=%%SERVER%%; Initial\ Catalog=%%DATABASE%%; UId=%%USER%%; Pwd=%%PWD%%;Pooling=False"\ .Replace("%%USER%%", “SAMwin”).Replace("%%PWD%%",\ Database.generateTransactSql()).Replace("%%SERVER%%", host)\ .Replace("%%DATABASE%%", dbName) ); The function generateTransactSql() de-obfuscates the hard coded database password and returns its cleartext representation. The username SAMwin and the de-obfuscated 36 characters long password can be used by an attacker to connect to the SQL database with any SQL client to get access to its data. Due to the absence of any middleware sanitizing and verifying input data send by the SAMwin Agent, arbitrary SQL commands can be executed from the username field of the SAMwin Agent login mask. When a SAMwin Agent user logs in, the username and password will be compared against values that are stored in the database. By terminating the username with a single quote character, any person with access to the SAMwin Agent login form can execute malicious SQL statements. For example, the following string can be used as username to verify the SQL command execution on the SQL server. USERNAME’ AND 1=1; WAITFOR DELAY ‘0:0:3’-- The example above can be used for a blind SQL injection, as the database will delay execution for 3 seconds; the timing in this case is a side-channel to proof the problem of blind injections into SQL statements. As the credentials required for a direct database access are available to anyone with access to the SAMwin Agent, the SQL injection is not required to be abused by an attacker as he simply could connect the database directly using any arbitrary SQL client. Direct access to the database is required based on the given architecture. Otherwise, the legit SAMWin Agent could not operate. It is recommended to use a middleware application between client and backend systems for being able to perform authentication and input validation, before data is passed to a database. No client software should be allowed to connect to any database system directly using hard coded credentials. --------------------------------------------------------------------- 4. Impact --------------------------------------------------------------------- Because credentials are hard coded and equal for all installations, an attacker reveals them once and is able to exploit multiple installations. Conceptually, these database credential results in read and write access to the database. Thus, an attacker knowing these credentials and with direct access to the database is able to modify the database content. An SQL injection vulnerability within the application leads to a full compromise, too, as all the SQL statements will be executed using the same database account with read and write permissions. As the content of the database holds all the information regarding the users, the call routing and interconnection details of the surrounding infrastructure, a successful attacker gains full control over the call center, its calls and probably data of other systems. --------------------------------------------------------------------- 5. Workaround --------------------------------------------------------------------- No known workaround to fix the architecture design is available yet. Network access to the SAMwin database server should be restricted to prevent access from untrustworthy networks and clients. --------------------------------------------------------------------- 6. Fix --------------------------------------------------------------------- According to the vendor, users of this software should upgrade to version 6.2, which should be available in Q4 2013. The vendor will not provide any fixes for previous versions. --------------------------------------------------------------------- 7. Credits --------------------------------------------------------------------- * Tobias Ospelt ([email protected]) * Max Moser ([email protected]) --------------------------------------------------------------------- 8. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. http://modzero.ch [email protected] --------------------------------------------------------------------- 9. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907