Nortel's new Contivity seris extranet switches give administrators the ability to enable a small HTTP server and use Nortel's web based administration utility to handle configuration and maitenance. The server runs atop the VxWorks operating system and is located in the directory /system/manage. A CGI application, /system/manage/cgi/cgiproc that is used to display the administration html pages does not properly authenticate users prior to processing requests. An intruder can view any file on the switch without logging in.
e6470da7422c75f82642fd4a9d29e044d0ee71eaad5f6c6e169743abe355b388
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF"><PRE>
<FONT COLOR="#CC0000">COMMAND</FONT>
Nortel's switches
<FONT COLOR="#CC0000">SYSTEMS AFFECTED</FONT>
Nortel's new Contivity seris extranet switches
<FONT COLOR="#CC0000">PROBLEM</FONT>
John Daniele found following. Nortel's new Contivity seris
extranet switches give administrators the ability to enable a
small HTTP server and use Nortel's web based administration
utility to handle configuration and maitenance. The server runs
atop the VxWorks operating system and is located in the directory
/system/manage. A CGI application, /system/manage/cgi/cgiproc
that is used to display the administration html pages does not
properly authenticate users prior to processing requests. An
intruder can view any file on the switch without logging in.
Method of exploitation? Pretty much a no brainer:
<FONT COLOR="#00FF00">
http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.
</FONT>
(interesting places to look: /system/filelist.dat,
/system/version.dat, /system/keys, /system/core, etc.)
The only entry found in the event/security logs after exploitation
is this:
<FONT COLOR="#00FF00">
09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login
</FONT>
Also, this same application does not properly escape
metacharacters such as '$', '!', resulting in total system crash:
<FONT COLOR="#00FF00">
http://x.x.x.x/manage/cgi/cgiproc?$
</FONT>
Nothing is found in the security/event logs after reboot. This
was tested on a Contivity 2500 running version 2.6 of the VxWorks
OS. However, the cgiproc application has been (guess) part of the
package since their initial release, therefore earlier versions
may also be affected.
<FONT COLOR="#CC0000">SOLUTION</FONT>
Nortelwas contacted and opened a case (CR# 118887 - cgiproc 'bug',
CR# 118890 - DoS). A patch has been developed and is scheduled to
be released with their next shipment of the VxWorks package.
Those administrators that have properly configured the switch, and
placed adequate access control/filtering rules on the managemnt
virtual ip should not have any immediate concerns.
</PRE></BODY>
</HTML>