Grandstream Networks UCM6200 Series SQLi (Web UI)

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(160531);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-5722");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");

  script_name(english:"Grandstream Networks UCM6200 Series SQLi (Web UI)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is vulnerable and can be compromised");
  script_set_attribute(attribute:"description", value:
"A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can
exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails
in versions before 1.0.20.17. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2020-15");
  script_set_attribute(attribute:"solution", value:
"Update to the fixed version as per the advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5722");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Grandstream UCM62xx IP PBX sendPasswordEmail RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("grandstream_networking_solutions_web_detect.nbin");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var port = get_http_port(default:80, embedded:TRUE);
var app_info = vcf::get_app_info(app:'Grandstream Networking Solutions', port:port, webapp:TRUE);

# UCM6200 Series Models only. Empty model and paranoid still runs
if (empty_or_null(app_info.Model))
{
  if (report_paranoia < 2)
    audit(AUDIT_POTENTIAL_VULN, 'Grandstream device', app_info.version);
  else
    app_info.Model = UNKNOWN_VER;
}
else if (app_info.Model !~ "UCM62[0-9]{2}($|[^0-9])")
  audit(AUDIT_HOST_NOT, 'an affected Grandstream device');

var constraints = [
  { 'fixed_version' : '1.0.20.17' }
];

vcf::grandstream::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{'sqli':TRUE});