[NEWS] AlterPath Manager Information Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 03/13/05

  • Next message: SecuriTeam: "[TOOL] Snmpfuzz - SNMPv1 Fuzzer" 
    To: list@securiteam.com
Date: 13 Mar 2005 19:46:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AlterPath Manager Information Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    "Cyclades' <http://www.cyclades.com/products/25/alterpath_manager>
    AlterPath Manager is a consolidated Out-of-Band Infrastructure manager
    that addresses the need to deploy, manage and connect to out-of-band
    access devices such as serial console servers, KVM and KVM over IP
    switches, intelligent power distribution units and embedded out-of-band
    management agents such as IPMI processors."

    Multiple vulnerabilities in AlterPath Manager have been found, they allow
    a remote attacker to disclose sensitive information, access other people's
    consoles and gaining of elevated privileges.

    DETAILS

    Vulnerable Systems:
     * AlterPath Manager version 1.2.1.

    Information Disclosure:
    The APM web interface reveals the following information: Boot Version,
    Kernel Version, Config Version, OS Version, AP Version, and Hardware
    information. This information could be valuable to attackers, and is
    available on the web interface on the /about.html web page without
    authentication

    Arbitrary Console Connection:
    Access restrictions in the AlterPath Manager prevent users from accessing
    consoles they are no allowed to connect to. However, this can be bypassed
    by simply specifying any console's name in the consoleConnect.jsp URL.
    Once the URL is changed and the page is loaded, the user will be taken
    directly to the console. Substitute "console_name" with the system's
    console name.

    Example URL:
    /usermode/consoleConnect.jsp?consolename=console_name

    Privilege Escalation:
    Any authorized user of the AlterPath Manager web interface can grant
    themselves administrator access. When saveUser.do is called, it does not
    confirm the user has access to modify their own (or other user's)
    privileges. By changing the adminUser value to "true" in the save user
    program's URL, the user account will be saved and granted administrative
    privileges. In the URL below, replace my_id, My+name, email and other user
    information as desired. Set the adminuser equal to "true" to grant
    escalated privileges to the user identified by userID (userID is an
    internal Cyclades identifier it can be found in certain AlterPath Manager
    URLs or HTML pages).
    Example URL:
    /application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=
    Security&location=Work&phone=555-1212&mobile=&pager=&email=test%40example.com&status=
    Enable&localPassword=true&adminUser=true&forward=&action=Save

    Workaround:
    The Cyclades AlterPath Manager software version 1.2.5 will address these
    issues when released. For older versions, it may be possible to disable
    the web interface and connect to consoles via SSH only.

    Disclosure Timeline:
     * 12.13.04 Vendor notification.
     * 01.20.05 Vendor response.
     * 02.15.05 Vendor stated they still did not have a release date.
     * 02.23.05 Public release.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sullo@cirt.net> Sullo.
    The original article can be found at:
    <http://www.cirt.net/advisories/alterpath_disclosure.shtml>
    http://www.cirt.net/advisories/alterpath_disclosure.shtml

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Snmpfuzz - SNMPv1 Fuzzer"