-----------------------------------------------------------------v1.1-
modzero Security Advisory: SAMwin Contact Center Suite - 
Architectural issues lead to database compromise [MZ-13-06]
---------------------------------------------------------------------

---------------------------------------------------------------------
1. Timeline
---------------------------------------------------------------------

* 2014-03-13: Advisory will be published.
* 2013-09-24: Vendor responded.
* 2013-09-20: Vendor has been contacted.
 
---------------------------------------------------------------------
2. Summary
---------------------------------------------------------------------
Vendor:  Telecommunication Software GmbH
Products known to be affected: SAMwin Contact Center Suite 5.1, the 
SAMwin Agent login mask shows version 5.01.19.06
Severity: High
Remote exploitable: Yes

The SAMwin  Call Center  Suite is a  SIP-based call  center solution,
which assists users with various features like call forwarding, skill
based  routing,  a  realtime   wallboard,  reporting  and  supervisor
monitoring. The environment  consists of at least  one SAMwin Contact
Center Suite Server (SAMwin Server)  component, a SQL database server
and the SAMwin Contact Center  Suite Agent (SAMwin Agent). The SAMwin
Agent is installed on the call center employee's desktop computer and
provides a configured set of features, based on a role and permission
concept configured by the supervisor  or an administrator. The SAMwin
Server's core  function is SIP-based  call handling and  routing. The
database server  acts as  datastore and is  directly accessed  by the
SAMwin  Server  and   Agent.  The  architecture  does   not  use  any
middleware, which could verify  or sanitize communication between the
SAMwin Agents and the database.

The SAMwinAgent is designed to use hard coded database authentication
credentials to connect to the  SAMwin database server during startup,
prior to any  other user authentication. The password  is defined and
hard  coded  by  the  vendor. Therefore,  all  installations  on  any
customer-site use the same  database credentials. No input sanitizing
is conducted and no prepared statements are used and, thus, arbitrary
SQL command execution is possible via the username field of the login
mask.

However, an  attacker might simply  connect directly to  the database
using  the  credentials  he   extracted  from  the  SAMwin  binaries.

As  all the  information  regarding user-accounts,  call routing  and
interconnection  details  of  the  infrastructure is  stored  in  the
database, an attacker can gain  full control over the SAMwin software
that  handles   calls.  Depending   on  the   database  configuration
hardening, an attacker  might be able to gain access  to the database
server's  operating  system  as  well, to  read,  write  and  execute
arbitrary files on the filesystem.

---------------------------------------------------------------------
3. Details
---------------------------------------------------------------------

The   SAMwin  Agent   is  designed   to  use   hard  coded   database
authentication  credentials to  connect  to the  SQL database  server
during startup,  prior to any  other authentication. To logon  to the
SAMwin Agent application, the user enters his access credentials into
the corresponding fields in the login mask.

When  a user  enters his  SAMwin account  information into  the login
screen, SQL  queries are sent  directly to the database  server using
hard  coded credentials  verifying  the given  username and  password
against credentials stored in the database.

The database  credentials can be  extracted from the SAMwin  Agent by
analyzing the SAMwinLIBVB.dll shared  library that is usually located
under  C:\Program Files\contact center suite 5.1\Bin\.  The  file  is
available to everyone with access to the SAMwin Agent software.

The   database    connection   is    initiated   a    method   called
getCurrentDBVersion(),  which calls  generateTransactSql() to  obtain
the password for the database connection:

  new SqlConnection( "Data Source=%%SERVER%%; Initial\
  Catalog=%%DATABASE%%; UId=%%USER%%; Pwd=%%PWD%%;Pooling=False"\
  .Replace("%%USER%%", "SAMwin").Replace("%%PWD%%",\
  Database.generateTransactSql()).Replace("%%SERVER%%", host)\
  .Replace("%%DATABASE%%", dbName) );

The  function  generateTransactSql()  de-obfuscates  the  hard  coded
database password and returns its cleartext representation.

The username SAMwin and the de-obfuscated 36 characters long password
can be used  by an attacker to  connect to the SQL  database with any
SQL client to get access to its data.

Due to the  absence of any middleware sanitizing  and verifying input
data send by the SAMwin Agent, arbitrary SQL commands can be executed
from the username field of the SAMwin Agent login mask. When a SAMwin
Agent  user logs  in,  the  username and  password  will be  compared
against values  that are stored  in the database. By  terminating the
username with a single quote character, any person with access to the
SAMwin Agent  login form  can execute  malicious SQL  statements. For
example, the following  string can be used as username  to verify the
SQL command execution on the SQL server.

USERNAME' AND 1=1; WAITFOR DELAY '0:0:3'--

The  example above  can be  used for  a blind  SQL injection,  as the
database will delay execution for 3  seconds; the timing in this case
is a side-channel  to proof the problem of blind  injections into SQL
statements.

As  the  credentials  required  for  a  direct  database  access  are
available  to  anyone  with  access  to the  SAMwin  Agent,  the  SQL
injection is  not required to be  abused by an attacker  as he simply
could connect the  database directly using any  arbitrary SQL client.
Direct  access  to  the  database  is required  based  on  the  given
architecture. Otherwise,  the legit  SAMWin Agent could  not operate.

It is recommended to use  a middleware application between client and
backend systems  for being able  to perform authentication  and input
validation, before data  is passed to a database.  No client software
should be  allowed to connect  to any database system  directly using
hard coded credentials.

---------------------------------------------------------------------
4. Impact
---------------------------------------------------------------------

Because credentials are  hard coded and equal  for all installations,
an  attacker  reveals them  once  and  is  able to  exploit  multiple
installations.

Conceptually,  these database  credential results  in read  and write
access to the  database. Thus, an attacker  knowing these credentials
and with direct access to the database is able to modify the database
content.

An SQL injection vulnerability within the application leads to a full
compromise, too, as all the SQL statements will be executed using the
same database account with read and write permissions.

As the  content of the  database holds all the  information regarding
the  users,  the call  routing  and  interconnection details  of  the
surrounding infrastructure, a successful  attacker gains full control
over the call center, its calls and probably data of other systems.

---------------------------------------------------------------------
5. Workaround
---------------------------------------------------------------------

No known workaround to fix  the architecture design is available yet.
Network access to the SAMwin  database server should be restricted to
prevent   access    from   untrustworthy   networks    and   clients.

---------------------------------------------------------------------
6. Fix
---------------------------------------------------------------------

According to the vendor, users of this software should upgrade to 
version 6.2, which should be available in Q4 2013. The vendor will 
not provide any fixes for previous versions.

---------------------------------------------------------------------
7. Credits
---------------------------------------------------------------------

 * Tobias Ospelt (tobias@modzero.ch) 
 * Max Moser (mmo@modzero.ch) 
 
---------------------------------------------------------------------
8. About modzero
---------------------------------------------------------------------

The  independent  Swiss  company  modzero  AG  assists  clients  with
security analysis  in the complex  areas of computer  technology. The
focus  lies  on  highly  detailed  technical  analysis  of  concepts,
software  and  hardware components  as  well  as the  development  of
individual solutions.  Colleagues at  modzero AG work  exclusively in
practical, highly  technical computer-security areas and  can draw on
decades  of experience  in  various platforms,  system concepts,  and
designs.
http://modzero.ch
contact@modzero.ch

---------------------------------------------------------------------
9. Disclaimer
---------------------------------------------------------------------
The information  in the advisory  is believed  to be accurate  at the
time of publishing  based on currently available  information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with  regard to this information. Neither the
author  nor  the publisher  accepts  any  liability for  any  direct,
indirect, or  consequential loss  or damage arising  from use  of, or
reliance on, this information.