lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: sullo at cirt.net (Sullo)
Subject: Cyclades AlterPath Manager Vulnerabilities

The Cyclades AlterPath Manager (APM) Console Server is sold to "perform secure
remote management of IT assets from anywhere in the world."  It provides
individual user logins, and allows the APM administrator to restrict users to
specific consoles. However, a basic review of the APM management web interface
revealed design flaws that could expose restricted consoles to unauthorized APM
users, allow any APM user to obtain administrative privileges, and provide
detailed system information to unauthorized users.

Vendor:  http://www.cyclades.com/
Product: AlterPath Manager (APM)
Version: 1.2.1

Details:
1) OSVDB-14073: Cyclades AlterPath Manager Information Disclosure
The APM web interface reveals the following information: Boot Version, Kernel
Version, Config Version, OS Version, AP Version, and Hardware information. This
information could be valuable to attackers, and is available on the web
interface on the /about.html web page without authentication.
   - Reference: http://www.cirt.net/advisories/alterpath_disclosure.shtml
   - Reference:  http://www.osvdb.org/14073

2) OSVDB-14075: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console
Connection
Access restrictions in the APM prevent users from seeing consoles they are no
allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and the
page is loaded, the user will be taken directly to the console. Substitute
"console_name" with the system?s console  name (as defined in the APM).
	- Example URL: /usermode/consoleConnect.jsp?consolename=console_name
	- Reference: http://www.cirt.net/advisories/alterpath_console.shtml
	- Reference: http://www.osvdb.org/14075

3) OSVDB-14074: Cyclades AlterPath Manager saveUser.do Privilege Escalation
Any authorized user of the APM web interface can grant themselves administrator
access. When saveUser.do is called, it does not confirm the user has access to
modify their own (or other user?s) privileges. By changing the adminUser value
to "true" in the save user program?s URL, the user account will be saved and
granted administrative privileges.
In the URL below, replace my_id, My+name, email and other user information as
desired. Set the adminuser equal to "true" to grant escalated privileges to the
user identified by userID (userID is an internal Cyclades identifier--it can be
found in certain APM URLs or HTML pages).
	- Example URL:
/application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager=
&email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save
	- Reference: http://www.cirt.net/advisories/alterpath_privesc.shtml
	- Reference: http://www.osvdb.org/14074

Resolution:
The Cyclades APM software version 1.2.5 will address these issues when released.



-- 
http://www.cirt.net/      |     http://www.osvdb.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ