Lucene search
K

Nortel Application Gateway 2000 Password

🗓️ 15 Apr 2009 00:00:00Reported by D. MatschekoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 44 Views

Nortel Application Gateway 2000 Password Disclosure Vulnerability in version 6.3.1 and prio

Code
`SEC Consult Security Advisory < 20090415-1 >  
==========================================================================  
title: Nortel Application Gateway 2000 Password   
Disclosure Vulnerability  
program: Nortel Application Gateway 2000  
vulnerable version: 6.3.1 and prior  
homepage: http://www.nortel.com/ag2000  
found: 2008-11-14  
by: David Matscheko / SEC Consult / www.sec-consult.com  
link:  
https://www.sec-consult.com/files/20090415-1_nortel_AG_password_disclosure.txt  
==========================================================================  
  
Vendor description:  
-------------------  
  
The Application Gateway delivers practical, converged voice and data  
applications on Nortel IP phones that enable organizations to benefit  
more fully from IP telephony. The prepackaged, easy-to-learn,  
easy-to-use Voice Office applications help increase productivity and  
enhance organizational communications - without requiring any  
integration work. For the hospitality sector, the Guest Services  
applications provide additional services/features, generate revenue from  
advertising on the phone screen, and reduce the cost of operations by  
enabling guests to self serve. Custom development tools are also  
available to end customers for delivery of customized content to IP  
phones.  
  
[source: http://www.nortel.com/ag2000]  
  
  
Vulnerability overview:  
-----------------------  
  
The Nortel Application Gateway provides an administration interface  
"Nortel Administration Tool powered by Citrix". This interface responds  
with sensitive information to unauthorized users.  
  
  
Vulnerability description:  
--------------------------  
  
The "Nortel Administration Tool powered by Citrix" can be accessed under  
the URL "https://<server>:3001/". The subframe  
"https://<server>:3001/adminDownloads.htm" does not show any content in  
the browser view. However the HTML-source of this frame contains  
sensitive information like an administrative call server user account:  
  
---  
<div id="call_server_host" value="10.11.12.13"></div> [...]  
<div id="call_server_telnet_port" value="23"></div> [...]  
<div id="call_server_user" value="admin123"></div>  
<div id="call_server_pwd" value="hugo123"></div>  
---  
  
  
Proof of concept:  
-----------------  
  
This vulnerability can be exploited with a web browser and plugins / web  
proxy.  
  
  
Vendor contact timeline:  
------------------------  
  
January 2009: Vendor informed about vulnerability  
2009-04-14: Patch available  
  
  
Patch:  
------  
  
The vendor has released a vulnerability fix which addresses the issue.  
In addition, the vendor has released a public security advisory  
containing update instructions. URL:  
  
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=865005  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
EOF SEC Consult Vulnerability Lab / @2009  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation