XXE vulnerability in 3CX Phone System
Another vulnerability discovered by Logically Secure. This time it is XXE (XML External Entity Injection) and SSRF (Server-Side Request Forgery) in 3CX Phone System web management console on version 12.5.44178.1002 up to 12.5 SP2.
In short, a correctly scoped penetration test, and an experienced tester resulted in uncovering unknown risks not only to the client but to the vendor too. This affects older versions of the product only.
The weakness is listed on OWASP TOP 10 since 2017 (most recent so far), however, is not commonly found in the applications as not every application implements XML processing.
How did we discover it? What is so different about this vulnerability?
During basic external penetration testing engagement, we came across a 3CX product. A quick lookup of CVEs and their description suggested that product was not reviewed on a regular basis by the community and it looked rather old fashioned. A security researcher like us (Edward Amaral Toledano), discovered vulnerabilities in version 15 of this product. There were no vulnerabilities disclosed for version 12 that we were testing nor the vulnerabilities from other versions did not apply for the level of access we had.
We have decided to have a close look and spent some time to review the security of unauthenticated part of the application on port 5000 where the web management console was located.
After examining the protocols, we quickly identified that the portal makes use of XML formatting and accepts our input in POST request to /management/Route/2.712024.2/moz/en-US/_3cxTheme/983038.49148.926/0/Content.MainForm.
Fiddling with XML and related vulnerabilities, we were able to elicit DNS and HTTP out of band responses.
A first basic test was to set up a listener on our public system and issue an attack which resulted in 3CX server connecting to our system as shown below.
Once we had a confirmation that the server is making a valid request, we have then used other available tools that fully take advantage of XXE issues. With the help of XXEInjector, we were able to read win.ini file from a vulnerable server.
Multiple other attempts were performed to compromise the host; however, we suspect that firewall on this IIS server was restricting some traffic on FTP and SMB.
Penetration testing can uncover previously unknown risks in your infrastructure. Not only because you are testing application configuration in the context of a whole live environment but also because you employ a testing company that does not rely only on known vulnerabilities and basic vulnerability assessment tools.
Testers in Logically Secure have the right mindset that allows them to look further and spend their own time investigating potential issues which enhances the value of the assessments.
By providing to you a penetration testing report you can quickly judge which actions are necessary to improve security. Similarly, our commitment to security allows vendors to improve their products in which you have trust.
3CX product had multiple functionality and product updates since affected version and therefore newer versions are not affected by this vulnerability.
Lastly, we would like to acknowledge very quick vendor response. 3CX conducted their own testing to replicate the vulnerability and assess against other versions. They were also giving away a trial of their latest version and allowed the testing against it. Vendor confirmed that the product is undergoing regular penetration testing.
CVE number: CVE-2019-13176 by Alexander Drabek
Discovery : 1st July 2019
3CX informed 2nd July 2019
3CX acknowledgment 2nd July 2019