COMMAND
Nortel's switches
SYSTEMS AFFECTED
Nortel's new Contivity seris extranet switches
PROBLEM
John Daniele found following. Nortel's new Contivity seris
extranet switches give administrators the ability to enable a
small HTTP server and use Nortel's web based administration
utility to handle configuration and maitenance. The server runs
atop the VxWorks operating system and is located in the directory
/system/manage. A CGI application, /system/manage/cgi/cgiproc
that is used to display the administration html pages does not
properly authenticate users prior to processing requests. An
intruder can view any file on the switch without logging in.
Method of exploitation? Pretty much a no brainer:
http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.
(interesting places to look: /system/filelist.dat,
/system/version.dat, /system/keys, /system/core, etc.)
The only entry found in the event/security logs after exploitation
is this:
09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login
Also, this same application does not properly escape
metacharacters such as '$', '!', resulting in total system crash:
http://x.x.x.x/manage/cgi/cgiproc?$
Nothing is found in the security/event logs after reboot. This
was tested on a Contivity 2500 running version 2.6 of the VxWorks
OS. However, the cgiproc application has been (guess) part of the
package since their initial release, therefore earlier versions
may also be affected.
SOLUTION
Nortelwas contacted and opened a case (CR# 118887 - cgiproc 'bug',
CR# 118890 - DoS). A patch has been developed and is scheduled to
be released with their next shipment of the VxWorks package.
Those administrators that have properly configured the switch, and
placed adequate access control/filtering rules on the managemnt
virtual ip should not have any immediate concerns.