CVE-2021-43970 Quicklert for Digium Switchvox Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution
Summary
Name | Quicklert for Digium Switchvox Version 10 Build 1043 – Arbitrary File Upload Results in Remote Code Execution |
Product | Quicklert for Digium Switchvox |
Affected Versions | Version 10 Build <1051 |
State | Public |
Release Date | 2022-03-01 |
Vulnerability
Type | Arbitrary File Upload |
Rule | CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.html |
Remote? | Yes |
Authentication Required? | Yes |
CVSS v3 Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H |
CVSS v3 Base Score | 9.9 (Critical Severity) |
Exploit Available? | No, but manually exploitable |
CVE ID(s) | CVE-2021-43970 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970 |
Description
The ‘audioFile’ parameter of the /quicklert/albumimages.jsp web form in Quicklert for Digium Switchvox Version 10 Build 1043 is vulnerable to arbitrary file upload. This vulnerability allows authenticated (low privilege) attackers to upload malicious files to the server which are then executed when called by the media viewer within the web application. The exploitation of this vulnerability resulted in a complete compromise to the confidentiality, integrity, and availability of the server and served as a jump point into the victim’s DMZ.
Proof-of-Concept
After being authenticated, we first navigated to the /quicklert/album.jsp page, which allowed us to add a new media album to our test account. After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.
Figure 1: Quicklert Album “Test” CreatedAfter creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.
Figure 2: Quicklert Album File UploadWe then created a Java reverse shell utilizing msfvenom. This payload was saved as “reverse.mp3”
We then uploaded the reverse.mp3 file via /quicklert/albumimages.jsp while the interceptor functionality of Burp Suite proxy was running. This allowed us to capture the POST request and make the following modifications:
We renamed the filename from “reverse.mp3” to “reverse.mp3;.jsp”. This ensures that the server recognizes the Java reverse shell as a valid JSP file while bypassing any file extension validations the web application had in place.
Additionally, we added a small piece of the byte-stream from a valid mp3 file by “catting” the file and then pasting the results above the current payload in Burp Suite.
After making these modifications, we released the intercepted request to allow it to POST the payload to the server. All of this is illustrated below:
After the file was posted on the server, we started a Meterpreter listener and then accessed the “reverse.mp3;.jsp” payload on the server. The server interpreted the Java file correctly and created a reverse connection back to us, ultimately resulting in a complete takeover of the server within the victim’s DMZ.
Exploit
There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.
Mitigation
Quicklert added file-type validation to the i.Album feature within the application to prevent uploading of potentially malicious file types.
Credits
This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.
References
Vendor Page | |
CVE Description | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43970 |
Timeline
2021-11-12: Vulnerability discovered
2021-11-12: Vendor contacted
2021-11-17: CVE #s issued by MITRE
2022-02-22: Vendor confirmed patch
2022-03-07: Public disclosure
Related Vulnerabilities
-
-
-
-
CVE-2022-34002 Personnel Data Systems (PDS) Vista 7 - Local File Inclusion (Vulnerability Research)
Copyright 2022 Assura, Inc. All rights reserved.