CVE-2013-4468
published 2014-05-14CVE-2013-4468: VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell…
PriorityP357medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
31.76%
98.1th percentile
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vicidial | vicidial | <= 2.8 | — |
| vicidial | vicidial | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/agc/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin↗
- →Look for GET requests to /agc/manager_send.php with ACTION=OriginateVDRelogin and shell metacharacters (semicolons) in the 'extension' parameter, indicating OS command injection attempts. ↗
- →Detect SQL injection bypass in the 'server_ip' parameter of manager_send.php requests: look for payloads matching `' OR '1' = '1` used to bypass session validation. ↗
- →Alert on use of default VICIdial credentials VDCL/donotedit or VDAD/donotedit in authentication requests, which are leveraged to reach the injection point. ↗
- →Monitor POST requests to /agc/astguiclient.php with default astGUIclient credentials (user=6666, pass=1234, phone_login=6666, phone_pass=1234) used to create a web_client_sessions entry as a precursor to exploitation. ↗
- →Flag requests to manager_send.php that include both enable_sipsak_messages=1 and allow_sipsak_messages=1 query parameters, which are required to reach the vulnerable code path. ↗
- ·The SQL injection against the 'server_ip' parameter (CVE-2013-4467) is used as a prerequisite to bypass the session check; at least one session must have been created at some point for this bypass to work. ↗
- ·Affected versions are explicitly 2.7RC1, 2.7, and 2.8-403a, but other versions are noted as likely affected as well. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VICIdial Manager - Send OS Command Injection (Metasploit)
exploitdb·2013-11-08
CVE-2013-7382 VICIdial Manager - Send OS Command Injection (Metasploit)
VICIdial Manager - Send OS Command Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'VICIdial Manager Send OS Command Injection',
'Description' => %q{
The file agc/manager_send.php in the VICIdial web application uses
unsanitized user input as part of a command that is executed using the PHP
passthru() function. A valid username, password and session are needed to access
the injection point. Fortunately, VICIdial has two built-in accounts with default
passwords and the manager_send.php file has a SQL injection vulnerability that can
be used to bypass the session check as long as at least one session has been
created at some point in time
Metasploit
VICIdial Manager Send OS Command Injection
metasploit
VICIdial Manager Send OS Command Injection
VICIdial Manager Send OS Command Injection
The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn't any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected commands are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Othe
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/29513http://www.openwall.com/lists/oss-security/2013/10/23/10http://www.openwall.com/lists/oss-security/2013/10/25/1https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/http://www.exploit-db.com/exploits/29513http://www.openwall.com/lists/oss-security/2013/10/23/10http://www.openwall.com/lists/oss-security/2013/10/25/1https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/
2014-05-14
Published