|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Nortel Contivity Vulnerability
Subject: Nortel Contivity Vulnerability
From: foo (foo
BLACKLISTED.INTRANOVA.NET)
Date: Mon Jan 17 2000 - 18:21:03 CST
- Next message: Brock Tellier: "Re: IIS still revealing paths for web directories"
- Previous message: William J Husler: "Re: TB2 Pro sending NT passwords cleartext"
- Next in thread: Bill Fumerola: "Re: Nortel Contivity Vulnerability"
- Reply: Bill Fumerola: "Re: Nortel Contivity Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Description
-----------
Nortel's new Contivity seris extranet switches
(http://www.nortelnetworks.com/products/01/contivity) give administrators
the ability to enable a small HTTP server and use Nortel's web based
administration utility to handle configuration and maitenance.
The server runs atop the VxWorks operating system and is located in the
directory /system/manage. A CGI application, /system/manage/cgi/cgiproc
that is used to display the administration html pages does not properly
authenticate users prior to processing requests. An intruder can
view any file on the switch without logging in.
Method of exploitation:
pretty much a no brainer:
http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.
(interesting places to look: /system/filelist.dat, /system/version.dat,
/system/keys, /system/core, etc.)
The only entry found in the event/security logs after exploitation is
this:
09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc
denied. requires login
Also, this same application does not properly escape metacharacters such
as '$', '!', resulting in total system crash:
http://x.x.x.x/manage/cgi/cgiproc?$
Nothing is found in the security/event logs after reboot.
Affected:
--------
Tested on a Contivity 2500 running version 2.6 of the VxWorks OS.
However, the cgiproc application has been (i believe) part of
the package since their initial release, therefore earlier versions may
also be affected.
Fix
---I was finally able to contact Nortel about this on January 7, to open up a case (CR# 118887 - cgiproc 'bug', CR# 118890 - DoS). A patch has been developed and is scheduled to be released with their next shipment of the VxWorks package.
Those administrators that have properly configured the switch, and placed adequate access control/filtering rules on the managemnt virtual ip should not have any immediate concerns.
- John Daniele
- Next message: Brock Tellier: "Re: IIS still revealing paths for web directories"
- Previous message: William J Husler: "Re: TB2 Pro sending NT passwords cleartext"
- Next in thread: Bill Fumerola: "Re: Nortel Contivity Vulnerability"
- Reply: Bill Fumerola: "Re: Nortel Contivity Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Tue Jan 18 2000 - 16:29:47 CST