Vulnerabilities > CVE-2013-4468 - Command Injection vulnerability in VICIDIAL 'manager_send.php'

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

vicidial

exploit available

metasploit

NVD

Published: 2014-05-14

Updated: 2014-05-15

Summary

VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php. Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

Vulnerable Configurations

Part	Description	Count
Application	Vicidial Vicidial Vicidial 2.7 Vicidial Vicidial 2.8	3

Exploit-Db

description	VICIdial Manager Send OS Command Injection. CVE-2013-4467,CVE-2013-7382. Remote exploit for linux platform
file	exploits/linux/remote/29513.rb
id	EDB-ID:29513
last seen	2016-02-03
modified	2013-11-08
platform	linux
port	80
published	2013-11-08
reporter	metasploit
source	https://www.exploit-db.com/download/29513/
title	VICIdial Manager Send OS Command Injection
type	remote

Metasploit

description	The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn't any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected commands are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
id	MSF:EXPLOIT/UNIX/WEBAPP/VICIDIAL_MANAGER_SEND_CMD_EXEC
last seen	2020-06-08
modified	2017-09-08
published	2013-11-06
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4467 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4468 http://www.openwall.com/lists/oss-security/2013/10/23/10 http://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
title	VICIdial Manager Send OS Command Injection

Packetstorm

data source	https://packetstormsecurity.com/files/download/123947/vicidial_manager_send_cmd_exec.rb.txt
id	PACKETSTORM:123947
last seen	2016-12-05
published	2013-11-08
reporter	sinn3r
source	https://packetstormsecurity.com/files/123947/VICIdial-Manager-Send-OS-Command-Injection.html
title	VICIdial Manager Send OS Command Injection

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Packetstorm

References