Alcatel OmniSwitch Management Web Server Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1020657|
SecurityTracker URL: http://securitytracker.com/id/1020657
(Links to External Site)
Updated: Oct 8 2008|
Original Entry Date: Aug 12 2008
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 18.104.22.1689.R01, 22.214.171.1243.R02, 126.96.36.1995.R01, 188.8.131.525.R01, 184.108.40.2066.R01|
A vulnerability was reported in Alcatel OmniSwitch. A remote user can execute arbitrary code on the target system.|
A remote user can send a specially crafted "Cookie: Session=" header value to trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.
The vulnerability resides in the Agranet-Emweb embedded management web server.
The following OmniSwitch versions are affected:
The vendor was notified on May 22, 2008.
Deral Heiland of www.LayeredDefense.com reported this vulnerability.
A remote user can execute arbitrary code on the target system.|
The vendor has issued the following fixes (AoS Releases):|
* 220.127.116.119.R01 and above
* 18.104.22.1683.R02 and above
* 22.214.171.1245.R01 and above
* 126.96.36.1995.R01 and above
* 188.8.131.526.R01 and above
The vendor's advisory is available at:
Vendor URL: www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm (Links to External Site)
Source Message Contents
Subject: [Full-disclosure] Layered Defense Research Advisory: Alcatel-Lucent|
Layered Defense Research Advisory 12 August 2008
1) Affected Product
Alcatel-Lucent OmniSwitch products
2) Severity Rating:
Impact: Remotely exploitable without authentication.
3) Description of Vulnerability
A stack based buffer overflow was discovered within Alcatel
OmniSwitch product line.
This buffer overflow was discovered within the Agranet-Emweb embedded
management web server and can be exploited remotely without user
The vulnerability can be triggered on a 6200-24 running AOS Version
184.108.40.2066.R01 by sending 2392 bytes in the http header "Cookie:
Session=" This appears to overwrite a return address on the stack
giving the attacker control of the instruction pointer. The amount of
bytes needed to trigger the overflow varies between AOS versions.
1. Install AOS upgrades as recommended by Vendor
2. Disable Web services on OmniSwitch products
5) Time Table:
05/21/2008 Reported Vulnerability to Vendor.
06/27/2008 Vendor acknowledged the vulnerability
08/06/2008 Vendor published hot fix
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
8) About Layered Defense Layered Defense, Is a group of security
professionals that work together on ethical Research, Testing and
Training within the information security arena. http://www.layereddefense.com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/