[NEWS] Alcatel-Lucent OmniSwitch Stack Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Alcatel-Lucent OmniSwitch Stack Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A stack overflow vulnerability in Alcatel-Lucent's web interface allows
remote attackers to cause it to crash by sending it a malformed HTTP
request.

DETAILS

Vulnerable Systems:
* Alcatel-Lucent OmniSwitch OS7000
* Alcatel-Lucent OmniSwitch OS6600
* Alcatel-Lucent OmniSwitch OS6800
* Alcatel-Lucent OmniSwitch OS6850
* Alcatel-Lucent OmniSwitch OS9000
* AOS version 5.4.1.396.R01

A stack based buffer overflow was discovered within Alcatel OmniSwitch
product line. This buffer overflow was discovered within the Agranet-Emweb
embedded management web server and can be exploited remotely without user
authentication. The vulnerability can be triggered on a 6200-24 running
AOS Version 5.4.1.396.R01 by sending 2392 bytes in the http header
"Cookie: Session=" This appears to overwrite a return address on the stack
giving the attacker control of the instruction pointer. The amount of
bytes needed to trigger the overflow varies between AOS versions.

Solution:
1. Install AOS upgrades as recommended by Vendor, found at:
<http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm;jsessionid=RBKEJUVX4EVHRLAWFRSHJH3MCYWGQTNS> http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm;jsessionid=RBKEJUVX4EVHRLAWFRSHJH3MCYWGQTNS
2. Disable Web services on OmniSwitch products

Time Table:
05/21/2008 - Reported Vulnerability to Vendor.
06/27/2008 - Vendor acknowledged the vulnerability
08/06/2008 - Vendor published hot fix


ADDITIONAL INFORMATION

The information has been provided by <mailto:dh@xxxxxxxxxxxxxxxxxx> Deral
Heiland.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [NT] Lhaplus LHA Extended Header Handling Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lhaplus LHA Extended Header Handling Buffer Overflow ... A vulnerability has been found in Lhaplus. ... This advisory discloses a buffer overflow vulnerability in Lhaplus. ...
    (Securiteam)
  • [NEWS] 0verkill Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
    (Securiteam)
  • [UNIX] Sun Microsystems Solaris ld.so doprf() Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so 'doprf' Buffer Overflow Vulnerability ...
    (Securiteam)
  • [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer overflow is presented below. ... * This vulnerability was found by: ... static int ...
    (Securiteam)