Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29194
HistoryMar 19, 2013 - 12:00 a.m.

n.runs-SA-2013.003 - Polycom - H.323 CDR Database SQL Injection

2013-03-1900:00:00
vulners.com
18
JSON

n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2013.003
15-Mar-2013

Vendor: Polycom, http://www.polycom.com
Affected Products: Polycom HDX Series
Affected Version: < 3.1.1.2
Vulnerability: Polycom H.323 CDR Database SQL Injection
Risk: HIGH

Overview:

For every received H.323 SETUP packet the Polycom HDX system writes a call
detail record (CDR) into its internal database. This even happens when the
connection is not accepted. The CDR table is stored in a SQLite database
which can be found in the /data/polycom/cdr/new/localcdr.db file on the
HDX system.

Description:

One of the items stored in a CDR entry is the remote system name of the
H.323 video call. The system name is taken directly from the string
placed in the Display information element from the sent H.323 SETUP
packet. However no input validation is performed on the string extracted
from the packet. The SQL query string to insert a new CDR is constructed
by simple string concatenation. Since the Display information element can
contain strings with embedded single quote characters the code is
vulnerable to a simple SQL injection vulnerability.

The vulnerability can easily be demonstrated by sending a H.323 SETUP
packet with a Display information element which contains a single
quote character. The following log entries can be observed when sending
the remote system name "SQL'INJECT":

DEBUG avc: pc[0]: INSERT into CDR_Table

values('82','1347442631','1347443321',

'690','—','SQL'INJECT','','—','h323','0','','1','327','1','0','—','—
',
'term
DEBUG avc: pc[0]: Can't prepare database: near "INJECT": syntax error
DEBUG avc: pc[0]: sqlInsert: time = 1
DEBUG avc: pc[0]: NOTIFY: SYS config cdrrowid1 0 "83" rw
DEBUG avc: pc[0]: H323Conn[0]: state:"incoming" –> "disconnecting"
DEBUG avc: pc[0]: H323Call[0]: hangup, cause code 16

Impact:

An unauthenticated attacker could try to exploit this vulnerability
over the network in order to manipulate the constructed SQL query. In
the worst case such a bug could lead to remote code execution through
the injection of specific SQL statements. Only a single TCP packet
would be needed for such an attack.

Solution:

Polycom released version 3.1.1.2 of the HDX software which fixes this
issue. It can be downloaded from the Polycom Support page at
http://support.polycom.com.

Credit:
Bug found by Moritz Jodeit of n.runs AG.

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[email protected] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.

Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

JSON