CyRC Vulnerability Advisory: Multiple vulnerabilities discovered in GOautodial

Broken authentication and local file inclusion leads to information disclosure and remote code execution in the GOautodial API.

Cyrc advisory.jpeg

Overview

Synopsys Cybersecurity Research Center (CyRC) research has discovered multiple vulnerabilities in the all-in-one call center software suite GOautodial. The suite, which has 50,000 users in call centers around the world, is open source and freely available to download, and it is also available as a paid cloud service from multiple providers. The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via unrestricted file upload.

The first issue (CVE-2021-43175: Broken authentication) falls under the A01 Broken Access Control category on the OWASP Top 10 list. This vulnerability allows any attacker with access to the internal network hosting GOautodial to steal sensitive configuration data such as default passwords from the GOautodial server, without needing any credentials such as a username or password. This data could then be used to connect to other related systems on the network such as VoIP phones or services.

The second issue (CVE-2021-43176: Local file inclusion with path traversal) allows any authenticated user at any level, including contact center employees, to perform remote code execution. This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else).

Affected software

Versions of the GOautodial API (https://github.com/goautodial/goAPIv2) at or prior to commit b951651 on September 27, 2021 appear to be vulnerable. This includes the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.

Both vulnerabilities are patched as of commit 15a40bc on October 20, 2021.

Impact

CVE-2021-43175: Broken authentication
GOautodial exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. 

This allows the caller to name and call a second PHP file without having any valid credentials for the GOautodial system. For example, this POST request will successfully authenticate despite the credentials not being valid, and will return system settings from GOautodial:

POST /goAPIv2/goSystemSettings/goAPI.php?
goAction=goGetSystemSettingInfo&
goPass=notarealpassword&
goUser=notarealuser&
hostname=192.168.190.1&
responsetype=json&
session_user=goadmin 

Most of the individual API functions appear to contain their own additional checks on user identity, credentials, and session state, which means that they are not vulnerable to exploitation. However, goGetSystemSettingInfo.php, which leaks sensitive configuration details including system passwords, certainly is.

CVSS 3.1 base score: 5.3 (medium)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVE-2021-43176: Local file inclusion with path traversal
The API router takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action. This permits an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. Combined with CVE-2021-43175, it is possible for the attacker to do this without valid credentials.

If the attacker can upload arbitrary PHP files to the server, that would allow arbitrary code execution on the server.

Regular authenticated users of the GOautodial system—such as call center employees—can send messages including attachments to other users. These attachments are saved with their original filename in a predictable location on the server. This means that any regular authenticated user of the GOautodial system can upload and execute arbitrary PHP files on the server. 

CVSS 3.1 base score: 8.8 (high)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Remediation

Synopsys recommends upgrading to GOautodial API commit 15a40bc or later.

Discovery credit

Scott Tolley, a researcher from the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool, which tests for security vulnerabilities automatically during the software development life cycle (SDLC). 
Synopsys would like to commend the GOautodial team for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

  • September 22, 2021: Initial disclosure
  • October 20, 2021: GOautodial fixes the vulnerability
  • November 17, 2021: Synopsys validates the fix
  • December 7, 2021: Advisory published by Synopsys
Stay on top of the latest AppSec news

Subscribe to the e-newsletter

 
Scott Tolley

Posted by

Scott Tolley

Scott Tolley

Scott Tolley began his career in mobile application and operating systems development before catching the AppSec bug at Synopsys where he now works as a solution architect (and fearless bug bounty hunter by night)! When he’s not perfecting DevSecOps pipelines for Synopsys he’s a keen amateur linguist, currently working on Romanian.


More from Security news and research