lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1239804229.6664.37.camel@b4byl0n>
Date: Wed, 15 Apr 2009 14:03:49 +0000
From: Bernhard Mueller <research@...-consult.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: SEC Consult SA-20090415-1 :: Nortel Application Gateway 2000
 Password Disclosure Vulnerability

SEC Consult Security Advisory < 20090415-1 >
==========================================================================
              title: Nortel Application Gateway 2000 Password 
                     Disclosure Vulnerability
            program: Nortel Application Gateway 2000
 vulnerable version: 6.3.1 and prior
           homepage: http://www.nortel.com/ag2000
              found: 2008-11-14
                 by: David Matscheko / SEC Consult / www.sec-consult.com
               link:
https://www.sec-consult.com/files/20090415-1_nortel_AG_password_disclosure.txt
==========================================================================

Vendor description:
-------------------

The Application Gateway delivers practical, converged voice and data
applications on Nortel IP phones that enable organizations to benefit
more fully from IP telephony. The prepackaged, easy-to-learn,
easy-to-use Voice Office applications help increase productivity and
enhance organizational communications - without requiring any
integration work. For the hospitality sector, the Guest Services
applications provide additional services/features, generate revenue from
advertising on the phone screen, and reduce the cost of operations by
enabling guests to self serve. Custom development tools are also
available to end customers for delivery of customized content to IP
phones.

[source: http://www.nortel.com/ag2000]


Vulnerability overview:
-----------------------

The Nortel Application Gateway provides an administration interface
"Nortel Administration Tool powered by Citrix". This interface responds
with sensitive information to unauthorized users.


Vulnerability description:
--------------------------

The "Nortel Administration Tool powered by Citrix" can be accessed under
the URL "https://<server>:3001/". The subframe
"https://<server>:3001/adminDownloads.htm" does not show any content in
the browser view. However the HTML-source of this frame contains
sensitive information like an administrative call server user account:

---
<div id="call_server_host" value="10.11.12.13"></div> [...]
<div id="call_server_telnet_port" value="23"></div> [...]
<div id="call_server_user" value="admin123"></div>
<div id="call_server_pwd" value="hugo123"></div>
---


Proof of concept:
-----------------

This vulnerability can be exploited with a web browser and plugins / web
proxy.


Vendor contact timeline:
------------------------

January 2009: Vendor informed about vulnerability
2009-04-14: Patch available


Patch:
------

The vendor has released a vulnerability fix which addresses the issue.
In addition, the vendor has released a public security advisory
containing update instructions. URL:

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=865005


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ