cbcvebase.
CVE-2013-4468
published 2014-05-14

CVE-2013-4468: VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell…

PriorityP357medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
31.76%
98.1th percentile
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
vicidialvicidial<= 2.8
vicidialvicidial

Detection & IOCsextracted from sources · hover to see the quote

path/agc/manager_send.php
path/agc/astguiclient.php
url/agc/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin
otherserver_ip=' OR '1' = '1
commandextension=;<cmd>;
  • Look for GET requests to /agc/manager_send.php with ACTION=OriginateVDRelogin and shell metacharacters (semicolons) in the 'extension' parameter, indicating OS command injection attempts.
  • Detect SQL injection bypass in the 'server_ip' parameter of manager_send.php requests: look for payloads matching `' OR '1' = '1` used to bypass session validation.
  • Alert on use of default VICIdial credentials VDCL/donotedit or VDAD/donotedit in authentication requests, which are leveraged to reach the injection point.
  • Monitor POST requests to /agc/astguiclient.php with default astGUIclient credentials (user=6666, pass=1234, phone_login=6666, phone_pass=1234) used to create a web_client_sessions entry as a precursor to exploitation.
  • Flag requests to manager_send.php that include both enable_sipsak_messages=1 and allow_sipsak_messages=1 query parameters, which are required to reach the vulnerable code path.
  • ·The SQL injection against the 'server_ip' parameter (CVE-2013-4467) is used as a prerequisite to bypass the session check; at least one session must have been created at some point for this bypass to work.
  • ·Affected versions are explicitly 2.7RC1, 2.7, and 2.8-403a, but other versions are noted as likely affected as well.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.