[NEWS] Nokia Electronic Documentation - Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 09/16/03

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in Liquidwar" 
    To: list@securiteam.com
Date: 16 Sep 2003 15:02:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Nokia Electronic Documentation - Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.nokia.com> Nokia provides a web-based documentation interface
    called NED for a number of it's cellular network products.

    @stake have discovered three vulnerabilities in this product:
     - Cross-site scripting
     - Directory listing of certain directories under the web-root
     - Being able to use NED as a proxy server for HTTP requests

    Normally, NED deployments are within the OAM/O&M networks of the cellular
    operator. However, as @stake discussed in the white paper '
    <http://www.atstake.com/research/reports/acrobat/atstake_gprs_security.pdf> GPRS Wireless Security: Not Ready for Prime Time' these networks can be exposed to risks which are not normally within the operators risk profiles.

    DETAILS

    The following examples are from a standard NED installation, which in
    @stake's experience is upon NT4/IIS 3.0.

    1) Cross-site scripting
    A very simple cross-site scripting vulnerability exists. For example, if
    an attacker makes the following request:

       http://target/docs/< script>alert('@stake');</script>

    This will cause the malicious code to run in the attacker's browser if
    JavaScript is enabled.

    2) Directory Listings
    It is possible to cause the underlying application server (WebLogic) to
    return a directory listing of the web-root. This is achieved by simply
    supplying a '.' as the location to the NED application. For example:

       http://target/docs/NED?action=retrieve&location=.

    In addition, this will also return the physical path that NED is installed
    on, which is by default:
       'e:\nemu\platform\active\docs\ned\Web-inf\special\'

    3) Open Proxy
    By specifying a location which contains the HTTP protocol URI, as
    contained within the example URL below, one can cause NED to retrieve the
    page in question and deliver the contents back. This can potentially be
    used to launch attacks against hosts that the NED server may have access
    to but the attacker does not (for example in a DMZ deployment).
       http://target/docs/NED?action=retrieve&location=http://target2/

    Vendor Response:
    "Nokia has analyzed the three vulnerabilities in NED 5.0 that @stake has
    discovered, and finds them only to have consequences under exceptional
    circumstances.

    Exceptional circumstances meant here are potential intruders (outsiders or
    own personnel) who have accessed the telecom operators' production/O&M
    network without authorization.
     
    Telecom operators' production networks and especially O&M networks are
    isolated from other internal networks and public internet and operators
    own O&M personnel are considered trustworthy. Thus Nokia will not provide
    any hot fixes (patches or workaround) at this moment but will inform
    telecom operator customers about the potential vulnerabilities and will
    remedy a defect in the next NED 5.1 release upgrades at the beginning of
    the next year."

    Recommendation:
    Look for the Nokia upgrades at the beginning of 2004. In addition,
    operators should look to deploy additional network-based access control
    around devices that have NED deployed on them.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <www.atstake.com/research/advisories/2003/a091503-1.txt>
    www.atstake.com/research/advisories/2003/a091503-1.txt.

    The information has been provided by <mailto:advisories@atstake.com>
    @stake Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in Liquidwar"