The Cyclades AlterPath Manager (APM) Console Server is sold to "perform secure remote management of IT assets from anywhere in the world." It provides individual user logins, and allows the APM administrator to restrict users to specific consoles. However, a basic review of the APM management web interface revealed design flaws that could expose restricted consoles to unauthorized APM users, allow any APM user to obtain administrative privileges, and provide detailed system information to unauthorized users. Vendor: http://www.cyclades.com/ Product: AlterPath Manager (APM) Version: 1.2.1 Details: 1) OSVDB-14073: Cyclades AlterPath Manager Information Disclosure The APM web interface reveals the following information: Boot Version, Kernel Version, Config Version, OS Version, AP Version, and Hardware information. This information could be valuable to attackers, and is available on the web interface on the /about.html web page without authentication. - Reference: http://www.cirt.net/advisories/alterpath_disclosure.shtml - Reference: http://www.osvdb.org/14073 2) OSVDB-14075: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection Access restrictions in the APM prevent users from seeing consoles they are no allowed to connect to. However, this can be bypassed by simply specifying any console's name in the consoleConnect.jsp URL. Once the URL is changed and the page is loaded, the user will be taken directly to the console. Substitute "console_name" with the system’s console name (as defined in the APM). - Example URL: /usermode/consoleConnect.jsp?consolename=console_name - Reference: http://www.cirt.net/advisories/alterpath_console.shtml - Reference: http://www.osvdb.org/14075 3) OSVDB-14074: Cyclades AlterPath Manager saveUser.do Privilege Escalation Any authorized user of the APM web interface can grant themselves administrator access. When saveUser.do is called, it does not confirm the user has access to modify their own (or other user’s) privileges. By changing the adminUser value to "true" in the save user program’s URL, the user account will be saved and granted administrative privileges. In the URL below, replace my_id, My+name, email and other user information as desired. Set the adminuser equal to "true" to grant escalated privileges to the user identified by userID (userID is an internal Cyclades identifier--it can be found in certain APM URLs or HTML pages). - Example URL: /application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager= &email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save - Reference: http://www.cirt.net/advisories/alterpath_privesc.shtml - Reference: http://www.osvdb.org/14074 Resolution: The Cyclades APM software version 1.2.5 will address these issues when released. -- http://www.cirt.net/ | http://www.osvdb.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html