[NEWS] Neteyes Nexusway's Weak Authentication, Shell Escaping and Command Execution
From: SecuriTeam (support_at_securiteam.com)
Date: 05/17/05
- Previous message: SecuriTeam: "[EXPL] Fusion SBX Remote Command Execution (Exploit 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 May 2005 11:15:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Neteyes Nexusway's Weak Authentication, Shell Escaping and Command
Execution
------------------------------------------------------------------------
SUMMARY
"The <http://www.neteyes.com.tw> NexusWay is a Multiservice Border
Gateway that provides the Multiaccess and Multiservice capabilities in the
border segment of an enterprise network."
There are multiple vulnerabilities in Neteyes Nexusway, by exploiting
these vulnerabilities malicious attacker can gain full control over the
product.
DETAILS
Weak Authentication in Web Module:
By sending crafted HTTP cookies, any user with access to port 443 on
Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway
administrator. This will allow user to change any configuration on this
device.
Example:
# curl -k -b 'cyclone500_write=1; cyclone500_auth=1;
client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi
Escaping to Operating System Shell in SSH Module
User with access to SSH module may able to access Shell or execute any
command as "root" privileges on Neteyes Nexusway by sending crafted
argument in certain command. This will allow user to do anything on this
device.
Example:
> ping ;sh
> traceroute ;sh
Command Execution in Web Module:
Any user with access to port 443 on Neteyes Nexusway is able to fully
control Neteyes Nexusway device by sending special crafted packet to
certain administration script. Web server is run as "root" on this
devices.
Example:
https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat+/stand/htdocs/config/admin
https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test
Workaround:
Disable web based administration module.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokley.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Fusion SBX Remote Command Execution (Exploit 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
