VocalTec VGW Telephony Gateway Basic Authorization Can Be Bypassed By Remote Users
|
|
SecurityTracker Alert ID: 1009426 |
|
SecurityTracker URL: http://securitytracker.com/id/1009426
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 15 2004
|
Impact:
User access via network
|
Exploit Included: Yes
|
Version(s): 8
|
Description:
Rafel Ivgi (The-Insider) reported some vulnerabilities in the VocalTec Telephony Gateway. A remote user can bypass the authentication process to access ostensibly protected files on the system.
It is reported that a remote user can request the 'home.asp' file with a trailing slash to bypass Basic Authorization. A demonstration exploit URL is provided:
http://<host>/home.asp/
Then, the remote user can supply specially crafted requests to traverse the directory and access files that would otherwise require Basic Authorization. A demonstration exploit URL is provided:
http://<host>/home.asp/../menu.asp
|
Impact:
A remote user can bypass authentication to access protected files on the system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.vocaltec.com/html/telephony/gateway_4_8.shtml (Links to External Site)
|
Cause:
Authentication error, Input validation error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 15 Mar 2004 09:33:31 +0200
Subject: VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application VocalTec Gateway
Vendors: http://www.vocaltec.com
Versions: 8
Platforms: Windows
Bug: Reverse Directory Transversal +
Authorization Bypass
Risk: High
Exploitation: Remote with browser
Date: 14 Mar 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
It provides high voice quality and optimized packet voice streaming over
managed and public
(Internet) IP networks. Utilizing a robust, outdoor embedded platform,
VGW4/8 ensures enhanced
reliability and high performance.
VGW4/8 enables users to make local, long distance and international
telephone/fax calls using
existing telephony devices. Calls originating or terminating at a VGW4/8 may
be routed through
a carrier providing a VoIP Virtual Private Network service or over existing
corporate IP data networks.
Product details: http://www.vocaltec.com/html/telephony/gateway_4_8.shtml
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Upon connecting to the server a "Basic Authorization" login is required.
If it failes there is information disclosure :
-------------------------------------------------------------
Access Error: Unauthorized
when trying to obtain /home.asp
Access to this document requires a User ID
-------------------------------------------------------------
Accessing the given file name again requests a "Basic Authorization" login.
By reffering to the file as a folder the authorization is bypassed.
For Example:
http://<host>/home.asp/
Now after we have bypassed the authorization we can use Reverse Directory
Transversal to
access any "Basic Authorization" protected file.
For Example:
http://<host>/home.asp/../menu.asp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
http://<host>/home.asp/
http://<host>/home.asp/../menu.asp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
|
|
