An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 126.96.36.199. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
9.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct additional attacks.
According to Shodawn, thousands of coTURN servers are directly reachable on the internet.
The username in POST requests to the login page is passed to the following function in src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_sqlite.c
snprintf(statement, sizeof(statement), "select realm,password from admin_user where name='%s'", usname);
The usname element can be crafted to return an arbitrary password.
Even when no administrators are configured and the administrator web portal is deactivated, the portal still accepts POST requests, so it’s still possible to exploit this vulnerability and reactivate the portal.
POST /logon HTTP/1.1 Host: 192.168.0.2:443 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 47 uname=user' union select '','0000'; --&pwd=0000
2017-09-04 - Vendor Disclosure
2019-01-29 - Public Disclosure
Discovered by Nicolas Edet of Cisco.