CVE-2013-4467
published 2014-03-11CVE-2013-4467: Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1)…
PriorityP357medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
32.77%
98.1th percentile
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vicidial | vicidial | <= 2.7 | — |
| vicidial | vicidial | — | — |
| vicidial | vicidial | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/agc/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&server_ip=%27+OR+%271%27+%3D+%271↗
- →Detect GET requests to /agc/manager_send.php containing SQL injection pattern in the server_ip parameter (e.g., single-quote OR tautology) combined with ACTION=OriginateVDRelogin and enable_sipsak_messages=1. ↗
- →Detect OS command injection in the 'extension' parameter of manager_send.php — payload is wrapped in semicolons (;cmd;), indicating shell command injection via PHP passthru(). ↗
- →Alert on authentication attempts to VICIdial using default credentials VDCL/donotedit or VDAD/donotedit, which are used to access the vulnerable injection point. ↗
- →Monitor POST requests to /agc/astguiclient.php with login parameters (user, pass, phone_login, phone_pass) — used by the exploit to create a valid session when none exists. ↗
- →Flag GET requests to /agc/manager_send.php that include both enable_sipsak_messages=1 and allow_sipsak_messages=1 query parameters, which are required by the exploit to reach the vulnerable code path. ↗
- ·A valid authenticated session is required to reach the command injection point in manager_send.php; however, the SQL injection in the server_ip parameter can be used to bypass the session check, making pre-auth exploitation feasible as long as at least one session has ever been created. ↗
- ·If no valid session exists in the database, the attacker must supply astGUIclient credentials to create one before exploitation; default astGUIclient credentials (6666/1234) are used by the Metasploit module. ↗
- ·The exploit payload is delivered via a GET request; Apache's GET limit (~8000 bytes) constrains payload size, which may affect large shellcode but is generally sufficient for command payloads. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VICIdial Manager - Send OS Command Injection (Metasploit)
exploitdb·2013-11-08
CVE-2013-7382 VICIdial Manager - Send OS Command Injection (Metasploit)
VICIdial Manager - Send OS Command Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'VICIdial Manager Send OS Command Injection',
'Description' => %q{
The file agc/manager_send.php in the VICIdial web application uses
unsanitized user input as part of a command that is executed using the PHP
passthru() function. A valid username, password and session are needed to access
the injection point. Fortunately, VICIdial has two built-in accounts with default
passwords and the manager_send.php file has a SQL injection vulnerability that can
be used to bypass the session check as long as at least one session has been
created at some point in time
Metasploit
VICIdial Manager Send OS Command Injection
metasploit
VICIdial Manager Send OS Command Injection
VICIdial Manager Send OS Command Injection
The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn't any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected commands are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Othe
No writeups or analysis indexed.
http://osvdb.org/98903http://seclists.org/oss-sec/2013/q4/171http://seclists.org/oss-sec/2013/q4/175http://secunia.com/advisories/55453http://www.exploit-db.com/exploits/29513http://www.securityfocus.com/bid/63340https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilitieshttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rbhttp://osvdb.org/98903http://seclists.org/oss-sec/2013/q4/171http://seclists.org/oss-sec/2013/q4/175http://secunia.com/advisories/55453http://www.exploit-db.com/exploits/29513http://www.securityfocus.com/bid/63340https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilitieshttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
2014-03-11
Published