cycladesReveal.txt

`The Cyclades AlterPath Manager (APM) Console Server is sold to "perform secure  
remote management of IT assets from anywhere in the world." It provides  
individual user logins, and allows the APM administrator to restrict users to  
specific consoles. However, a basic review of the APM management web interface  
revealed design flaws that could expose restricted consoles to unauthorized APM  
users, allow any APM user to obtain administrative privileges, and provide  
detailed system information to unauthorized users.  
  
Vendor: http://www.cyclades.com/  
Product: AlterPath Manager (APM)  
Version: 1.2.1  
  
Details:  
1) OSVDB-14073: Cyclades AlterPath Manager Information Disclosure  
The APM web interface reveals the following information: Boot Version, Kernel  
Version, Config Version, OS Version, AP Version, and Hardware information. This  
information could be valuable to attackers, and is available on the web  
interface on the /about.html web page without authentication.  
- Reference: http://www.cirt.net/advisories/alterpath_disclosure.shtml  
- Reference: http://www.osvdb.org/14073  
  
2) OSVDB-14075: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console  
Connection  
Access restrictions in the APM prevent users from seeing consoles they are no  
allowed to connect to. However, this can be bypassed by simply specifying any  
console's name in the consoleConnect.jsp URL. Once the URL is changed and the  
page is loaded, the user will be taken directly to the console. Substitute  
"console_name" with the system’s console name (as defined in the APM).  
- Example URL: /usermode/consoleConnect.jsp?consolename=console_name  
- Reference: http://www.cirt.net/advisories/alterpath_console.shtml  
- Reference: http://www.osvdb.org/14075  
  
3) OSVDB-14074: Cyclades AlterPath Manager saveUser.do Privilege Escalation  
Any authorized user of the APM web interface can grant themselves administrator  
access. When saveUser.do is called, it does not confirm the user has access to  
modify their own (or other user’s) privileges. By changing the adminUser value  
to "true" in the save user program’s URL, the user account will be saved and  
granted administrative privileges.  
In the URL below, replace my_id, My+name, email and other user information as  
desired. Set the adminuser equal to "true" to grant escalated privileges to the  
user identified by userID (userID is an internal Cyclades identifier--it can be  
found in certain APM URLs or HTML pages).  
- Example URL:  
/application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager=  
&email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save  
- Reference: http://www.cirt.net/advisories/alterpath_privesc.shtml  
- Reference: http://www.osvdb.org/14074  
  
Resolution:  
The Cyclades APM software version 1.2.5 will address these issues when released.  
  
  
  
--   
http://www.cirt.net/ | http://www.osvdb.org/  
  
  
  
`