SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   Nortel SSL VPN Vendors:   Nortel
Nortel SSL VPN Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting and Command Execution Attacks
SecurityTracker Alert ID:  1015341
SecurityTracker URL:  http://securitytracker.com/id/1015341
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 24 2005
Original Entry Date:  Dec 12 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.2.1.6
Description:   A vulnerability was reported in Nortel SSL VPN. A remote user can conduct cross-site scripting attacks.

The web interface not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary commands to be executed by the target user's browser. The code will originate from the site running the SSL VPN server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

https://[target]/tunnelform.yaws?a=+cmd.exe+/c+echo+test+%3E+
c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127.0.0.1&
0lp=8080&0hm=&0rh=10.10.10.10&0rp=80&sslEnabled=on&start=Start...

The vendor was notified on May 30, 2005.

Daniel Fabian of SEC-CONSULT discovered this vulnerability.

The original advisory is available at:

http://www.sec-consult.com/247.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SSL VPN server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix as part of maintenance release 5.1.5 of the VPN Gateway.

The vendor's advisory (Document ID 2005006532) is available at:

http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=373488

Vendor URL:  www.nortel.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SEC Consult SA-20051211-0 :: Nortel SSL VPN Cross

SEC-CONSULT Security Advisory 20051212-0
==========================================================================
                  title: Nortel SSL VPN Cross Site Scripting/Command
		         Execution
                program: Nortel SSL VPN
     vulnerable version: 4.2.1.6
               homepage: www.nortel.com
                  found: 2005-05-30
                     by: Daniel Fabian / SEC-CONSULT / www.sec-consult.com
==========================================================================

Product Description:
---------------

The Nortel SSL VPN is a remote access security solution. By using secure
sockets layer (SSL) as the underlying security protocol, Nortel SSL VPN
allows for using the Internet for remote connectivity and the ubiquitous
Web browser as the primary client interface.


Vulnerabilty overview:
---------------

Due to insufficient input validation within the appliance's web interface,
it is possible for an attacker to supply his victim with a malicious link
that results in code execution on the victim's client. The problem has
been reproduced with version 4.2.1.6, however other versions might be
vulnerable as well.


Vulnerability details:
---------------

Due to insufficient input validation within the web interface of Nortel's
SSL VPN appliance, it is possible to hide commands in links to certain
pages of the web interface. As the Java Applet which is called from those
web pages is cryptographically signed, it may execute operating system
commands with the priviledges of the user sitting in front of the browser.

An attacker can thus supply his victim with a malicious link where
commands are hidden. If the victim clicks on the link and logs onto the
SSL VPN web interface (where it is automatically taken), arbitrary
commands are executed locally on the client of the victim.

Here is an example for a crafted link that executes the command "cmd.exe
 /c echo test > c:\\test" (please consider the link one line):

---cut here---

https://SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+test+%3E+
c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127.0.0.1&
0lp=8080&0hm=&0rh=10.10.10.10&0rp=80&sslEnabled=on&start=Start...

---cut here---


Vulnerable versions:
---------------

Nortel SSL VPN 4.2.1.6


Patch Status
---------------

According to vendor, a patch for this vulnerability has been incorporated
into maintainence release v5.1.5 of its VPN Gateway.


Vendor status:
---------------
vendor notified: 2005-05-30
vendor response: 2005-06-21
patch available: 2005-11-15
public disclos.: 2006-12-12


General remarks
---------------

We would like to apologize in advance for potential nonconformities and/or
known issues.

This advisory can also be found online at
http://www.sec-consult.com/247.html.

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to http://www.sec-consult.com/236.html

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC