module
Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
| Disclosed | Created |
|---|---|
| Mar 30, 2020 | Feb 17, 2022 |
Disclosed
Mar 30, 2020
Created
Feb 17, 2022
Description
This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx
IP PBX to dump the users table. The injection occurs over a websocket at the websockify
endpoint, and specifically occurs when the user requests the challenge (as part of a
challenge and response authentication scheme). The injection is blind, but the server
response contains a different status code if the query was successful. As such, the
attacker can guess the contents of the user database. Most helpfully, the passwords are
stored in cleartext within the user table (CVE-2020-5723).
This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.
IP PBX to dump the users table. The injection occurs over a websocket at the websockify
endpoint, and specifically occurs when the user requests the challenge (as part of a
challenge and response authentication scheme). The injection is blind, but the server
response contains a different status code if the query was successful. As such, the
attacker can guess the contents of the user database. Most helpfully, the passwords are
stored in cleartext within the user table (CVE-2020-5723).
This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.
Author
jbaines-r7
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.