[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45CF8D7B.1030905@wolfgarten.com>
Date: Sun, 11 Feb 2007 22:41:15 +0100
From: Sebastian Wolfgarten <sebastian@...fgarten.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Arbitrary file disclosure vulnerability in IP3 NetAccess < 4.1.9.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I - TITLE
Security advisory: Arbitrary file disclosure vulnerability in
IP3 NetAccess leads to full system compromise
II - SUMMARY
Description: Arbitrary file disclosure vulnerability in IP3 NetAccess
leads to full system compromise
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)
Date: February 11th, 2007
Severity: High
References: http://www.devtarget.org/ip3-advisory-02-2007.txt
III - OVERVIEW
IP3's NetAccess is a device created for high demand environments such as
convention centers or hotels. It handles the Internet access and
provides for instance firewalling, billing, rate-limiting as well as
various authentication mechanisms. The device is administrated via SSH
or a web-based GUI. Further information about the product can be found
online at http://www.ip3.com/poverview.htm.
IV - DETAILS
Due to inproper input validation, all NetAccess devices with a firmware
version less than 4.1.9.6 are vulnerable to an arbitrary file disclosure
vulnerability. This vulnerability allows an unauthenticated remote
attacker to abuse the web interface and read any file on the remote
system. Due to the fact that important system files are world-readable
(see bid #17698), this does include /etc/shadow and thus leads to a full
compromise of the device! In addition an attacker is able to gain access
to the proprietary code base of the device and potentially identify as
well as exploit other (yet unknown) vulnerabilities.
V - EXPLOIT CODE
The trivial vulnerability can be exploited by accessing the file
"getfile.cgi" with a relative file path such as
http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow
As the input to the "filename" parameter is not properly validated
accessing this URL will disclose the contents of /etc/shadow to a remote
attacker.
VI - WORKAROUND/FIX
To address this problem, the vendor has released a new firmware version
(4.1.9.6) which is available at http://www.ip3.com. Hence all users of
IP3's NetAccess devices are asked to install this version immediately.
As a temporary workaround, one may also limit the accessibility of the
web interface of the device to authorized personnel only. Nevertheless
contacting the vendor and installing the new firmware version is highly
recommended!
VII - DISCLOSURE TIMELINE
31. December 2006 - Notified vendor
31. December 2006 - Vulnerability confirmed
17. January 2007 - Patch released
11. February 2007 - Public disclosure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFz417d8QFWG1Rza8RAlGdAKCgbw/HBweXPlDQW+T8A7JAagrPWQCeKetH
EJAG2aGxvYbSTMH/n6Sd9sc=
=nMqJ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists