CVE-2021-43970 Quicklert for Digium Switchvox Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution

Summary

Name

Quicklert for Digium Switchvox Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution

Product

Quicklert for Digium Switchvox

Affected Versions

Version 10 Build <1051

State

Public

Release Date

2022-03-01

Vulnerability

Type

Arbitrary File Upload

Rule

CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.html

Remote?

Yes

Authentication Required?

Yes

CVSS v3 Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H

CVSS v3 Base Score

9.9 (Critical Severity)

Exploit Available?

No, but manually exploitable

CVE ID(s)

CVE-2021-43970 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970

Description

The ‘audioFile’ parameter of the /quicklert/albumimages.jsp web form in Quicklert for Digium Switchvox Version 10 Build 1043 is vulnerable to arbitrary file upload. This vulnerability allows authenticated (low privilege) attackers to upload malicious files to the server which are then executed when called by the media viewer within the web application. The exploitation of this vulnerability resulted in a complete compromise to the confidentiality, integrity, and availability of the server and served as a jump point into the victim’s DMZ. 

Proof-of-Concept

  1. After being authenticated, we first navigated to the /quicklert/album.jsp page, which allowed us to add a new media album to our test account. After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.

    Figure 1: Quicklert Album “Test” Created
  2. After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.

    Figure 2: Quicklert Album File Upload

     

  3. We then created a Java reverse shell utilizing msfvenom. This payload was saved as “reverse.mp3”

  4. We then uploaded the reverse.mp3 file via /quicklert/albumimages.jsp while the interceptor functionality of Burp Suite proxy was running. This allowed us to capture the POST request and make the following modifications:

    1. We renamed the filename from “reverse.mp3” to “reverse.mp3;.jsp”. This ensures that the server recognizes the Java reverse shell as a valid JSP file while bypassing any file extension validations the web application had in place.

    2. Additionally, we added a small piece of the byte-stream from a valid mp3 file by “catting” the file and then pasting the results above the current payload in Burp Suite.

  5. After making these modifications, we released the intercepted request to allow it to POST the payload to the server. All of this is illustrated below:

    Figure 3: File Upload POST Request Captured in Burp Suite Before Modifications

     

    Figure 4: File Upload POST Request Captured in Burp Suite After Modifications
  6. After the file was posted on the server, we started a Meterpreter listener and then accessed the “reverse.mp3;.jsp” payload on the server. The server interpreted the Java file correctly and created a reverse connection back to us, ultimately resulting in a complete takeover of the server within the victim’s DMZ. 

    Figure 5: “Test” Album After “reverse.mp3;.jsp” is uploaded

     

    Figure 6: Resulting Web Page After Clicking “reverse.mp3;.jsp” and the Server Attempts to Open the Java Payload as an MP3 File

     

    Figure 7: Meterpreter Reverse Shell Opened in Metasploit Resulting in System Takeover After Clicking “reverse.mp3;.jsp”

Exploit

There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.

Mitigation

Quicklert added file-type validation to the i.Album feature within the application to prevent uploading of potentially malicious file types.

Credits

This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.

References

Timeline

  • 2021-11-12: Vulnerability discovered 

  • 2021-11-12: Vendor contacted

  • 2021-11-17: CVE #s issued by MITRE

  • 2022-02-22: Vendor confirmed patch

  • 2022-03-07: Public disclosure