Home page logo
/

bugtraq logo Bugtraq mailing list archives

[Scan Associates Advisory] Neteyes Nexusway multiple vulnerability
From: pokley <pokleyzz () scan-associates net>
Date: Wed, 11 May 2005 11:46:39 +0800


Product : Neteyes Nexusway (http://www.neteyes.com.tw)
Description: Neteyes Nexusway multiple vulnerability
Severity: Very High

Description
===========
The NexusWay is a Multiservice Border Gateway that provides the
Multiaccess and Multiservice capabilities in the border segment of an
enterprise network.

Detail
======

Weak authentication in web module
---------------------------------
By sending crafted http cookies, any user with access to port 443 on
Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway
admin. This will allow user to change any configuration on this device.

Example:
# curl -k -b 'cyclone500_write=1; cyclone500_auth=1; client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi

Escaping to Operating System shell in SSH module
------------------------------------------------
User with access to SSH module may able to access Shell or execute any
command as "root" privileges on Neteyes Nexusway by sending crafted
argument in certain command. This will allow user to do anything on this
device.

Example:
        > ping ;sh
        > traceroute ;sh

Remote command execution in web module
--------------------------------------
Any user with access to port 443 on Neteyes Nexusway is able to fully
control Neteyes Nexusway device by sending special crafted packet to
certain administration script. Web server is run as "root" on this devices.

Example:
        https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat%20/stand/htdocs/config/admin
        https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test

Workaround
==========
Disable Web Administration module


  By Date           By Thread  

Current thread:
  • [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability pokley (May 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault