Nortel's recently released Contivity series network devices (extranet switches) shipped with an httpd (to provide an interface for remote administration) which runs on top of VxWorks. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo <foo@blacklisted.intranova.net> provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. Another vulnerability in cgiproc is a lack of authentication when requesting administration webpages. A consequence of this is an attacker being able to view any file on the webserver. foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to...
Nortel's recently released Contivity series network devices (extranet switches) shipped with an httpd (to provide an interface for remote administration) which runs on top of VxWorks. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo <foo@blacklisted.intranova.net> provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. Another vulnerability in cgiproc is a lack of authentication when requesting administration webpages. A consequence of this is an attacker being able to view any file on the webserver. foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login In order to perform the operations detailed in the report, the "attackers" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol.
