Grandstream Networks UCM6200 Series SQLi (SIP)

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(160532);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-5722");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");

  script_name(english:"Grandstream Networks UCM6200 Series SQLi (SIP)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is vulnerable and can be compromised");
  script_set_attribute(attribute:"description", value:
"A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can
exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails
in versions before 1.0.20.17. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2020-15");
  script_set_attribute(attribute:"solution", value:
"Update to the fixed version as per the advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5722");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Grandstream UCM62xx IP PBX sendPasswordEmail RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("grandstream_sip_detect.nbin");
  script_require_keys("installed_sw/Grandstream VoIP Device");

  exit(0);
}

include('vcf.inc');

var app = 'Grandstream VoIP Device';

get_install_count(app_name:app, exit_if_zero:TRUE);
var installs = get_combined_installs(app_name:app);

if (installs[0] != IF_OK)
  audit(AUDIT_NOT_DETECT, app);

var vuln = FALSE;
var report = NULL;

var models = {
  'UCM6202' : { 'constraints': [{ 'fixed_version' : '1.0.20.17' }]},
  'UCM6204' : { 'constraints': [{ 'fixed_version' : '1.0.20.17' }]},
  'UCM6208' : { 'constraints': [{ 'fixed_version' : '1.0.20.17' }]}
};

# loop through the installs
# obtain the model/version of each detected install
# alert if matching the known affected assets
foreach var install (installs[1])
{
  var model = install.Model;
  var version = install.version;
  if(empty_or_null(model) || empty_or_null(version))
    continue;

  # if the model is found, check for a version less than... 
  var output = vcf::check_version(version:vcf::parse_version(version), constraints:models[model]['constraints']);

  if(!vcf::is_error(output) && !isnull(output))
  {
    vuln = TRUE;
    report +=
    '\n  Model             : ' + model +
    '\n  Installed Version : ' + version +
    '\n  Fixed Version     : ' + models[model]['constraints'][0]['fixed_version'] +
    '\n  Port / Protocol   : ' + install.protocol + '/' + install.port +
    '\n';
  }
}

if(!vuln) audit(AUDIT_INST_PATH_NOT_VULN, 'The Grandstream asset' );
# we will have one or many ports... zeroing out...
security_report_v4(port:0, severity:SECURITY_HOLE, extra:report, sqli:TRUE);