-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Nokia Electronic Documentation - Multiple Vulnerabilities Release Date: 09/15/2003 Application: NED (Nokia Electronic Documentation) Platform: Windows NT4 and WebLogic tested (others may be susceptible) Severity: Information disclosure / cross-site scripting Open Proxy Authors: Ollie Whitehouse Vendor Status: Informed / Statement Below CVE Candidate: (pending) Multiple Nokia Electronic Documentation Issues Reference: www.atstake.com/research/advisories/2003/a091503-1.txt Overview: Nokia (http://www.nokia.com) provides a web-based documentation interface called NED for a number of it's cellular network products. @stake have discovered three vulnerabilities in this product: - Cross-site scripting - Directory listing of certain directories under the web-root - Being able to use NED as a proxy server for HTTP requests Normally, NED deployments are within the OAM/O&M networks of the cellular operator. However, as @stake discussed in the white paper 'GPRS Wireless Security: Not Ready for Prime Time' (http://www.atstake.com/research/ reports/acrobat/atstake_gprs_security.pdf) these networks can be exposed to risks which are not normally within the operators risk profiles. Details: The following examples are from a standard NED installation, which in @stake's experience is upon NT4/IIS 3.0. 1) Cross-site scripting A very simple cross-site scripting vulnerability exists. For example, if an attacker makes the following request: http://target/docs/ This will cause the malicious code to run in the attacker's browser if Javascript is enabled. 2) Directory Listings It is possible to cause the underlying application server (WebLogic) to return a directory listing of the web-root. This is achieved by simply supplying a '.' as the location to the NED application. For example: http://target/docs/NED?action=retrieve&location=. In addition, this will also return the physical path that NED is installed on, which is by default: 'e:\nemu\platform\active\docs\ned\Web-inf\special\' 3) Open Proxy By specifying a location which contains the HTTP protocol URI, as contained within the example URL below, one can cause NED to retrieve the page in question and deliver the contents back. This can potentially be used to launch attacks against hosts that the NED server may have access to but the attacker does not (for example in a DMZ deployment). http://target/docs/NED?action=retrieve&location=http://target2/ Vendor Response: "Nokia has analyzed the three vulnerabilities in NED 5.0 that @stake has discovered, and find them only to have consequences under exceptional circumstances. Exceptional circumstances meant here are potential intruders (outsiders or own personnel) who have accessed the telecom operators production/O&M network without authorization. Telecom operators production networks and especially O&M networks are isolated from other internal networks and public internet and also operators own O&M personnel are considered to be trustworthy. Thus Nokia will not provide any hot fixes (patches or workaround) at this moment but will inform telecom operator customers about the potential vulnerabilities and will remedy a defect in the next NED 5.1 release upgrades at the beginning of the next year." Recommendation: Look for the Nokia upgrades at the beginning of 2004. In addition, operators should look to deploy additional network-based access control around devices that have NED deployed on them. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. (pending) Multiple Nokia Electronic Documentation Issues @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP2YixUe9kNIfAm4yEQJG6gCgiHpwSbhWPq44RIhs1u/mQlDu/iYAoNaq uVq9ge2vPMk5e0uiuxRWKnjT =qpvD -----END PGP SIGNATURE-----