Multiple Vulnerabilities in the Adtran Netvanta 7100
Impact: Multiple Local and Remote Compromise, XSS and
other Injection Attacks
Version(s): firmware prior to R10.5.3.HA
Author: J. Oquendo (joquendo at e-fensive dot net)


I. ADVISORY

Title: Multiple Vulnerabilities in Adtran Netvanta 7100
Date published: 2013-09-18
Vendor contacted in 2011

CVE-2013-5210 Remote Code Injection via XSS


II. BACKGROUND

The Adtran Netvanta 7100 (NV7100) is an "Office in a Box"
appliance offering data and VoIP services on a single
platform. In October 2011, I discovered there were some
vulnerabilities in the platform and contacted the vendor.
The initial disclosure revolved primarily around cross
site scripting attacks, where via crafted URIs an attacker
would have been able to trick users into performing a
variety of attacks, local to the users machine, or, if
given enough privileges, re-directed back to the NV7100.
After disclosing the issue, Adtran began fixing up these
initial issues however, in parallel, I then found others
which were similar in nature, but affecting other areas
of the NV7100.


II. DESCRIPTION

For a description of XSS, injection attacks, authentication
bypass, please see OWASP material on this subject.

https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_%28OWASP-AT-005%29
https://www.owasp.org/index.php/XSS

The NV7100's main issue (and the reason for the LONG release
of a patch) revolved around userapp/loginAction.html where
an attacker was able to inject code regardless of
authenticating. In the initial report, there was some
miscommunication on my behalf, as well as some vendor
misinterpretation of what was occurring. An attacker DOES
NOT NEED credentials to pull off a successful attack and
no POC code will be made publicly available to demonstrate.
The vendor was given a video that illustrated the who,
what, when, where and why.

III SOLUTION

Adtran released a firmware update, and advisory of their
own to resolve this issue however, in the interim, these
appliances should NEVER face the public internet, and
should be isolated via VLANs or firewalls to minimize abuse.

https://supportforums.adtran.com/docs/DOC-6414


IV. TOOLS USED

Wikto, Burpsuite, WVS, perl kung fu, Firefox

V. History

This was reported in 2011 and throughout the past two years,
Adtran has been fixing the issues I have been coming across.
Initially, the advisory began with over 52 different means
of attacks and over the course of two years, Adtran has
diligently addressed each and every vulnerability, as
recently as August 2013. While I would have preferred
placing a timeline, the reality is, two years is a long time
to go back and forth with a vendor on security issues.

VI. Renegotiation

There was also an SSL renegotation issue that was discovered
and addressed during the process of sorting out the XSS
issues. 

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF