title: Nortel SSL VPN Cross Site Scripting/Command Execution program: Nortel SSL VPN vulnerable version: 188.8.131.52 homepage: www.nortel.com found: 2005-05-30 by: Daniel Fabian / SEC-CONSULT / www.sec-consult.com
The Nortel SSL VPN is a remote access security solution. By using secure sockets layer (SSL) as the underlying security protocol, Nortel SSL VPN allows for using the Internet for remote connectivity and the ubiquitous Web browser as the primary client interface.
Due to insufficient input validation within the appliance's web interface, it is possible for an attacker to supply his victim with a malicious link that results in code execution on the victim's client. The problem has been reproduced with version 184.108.40.206, however other versions might be vulnerable as well.
Due to insufficient input validation within the web interface of Nortel's SSL VPN appliance, it is possible to hide commands in links to certain pages of the web interface. As the Java Applet which is called from those web pages is cryptographically signed, it may execute operating system commands with the priviledges of the user sitting in front of the browser.
An attacker can thus supply his victim with a malicious link where commands are hidden. If the victim clicks on the link and logs onto the SSL VPN web interface (where it is automatically taken), arbitrary commands are executed locally on the client of the victim.
Here is an example for a crafted link that executes the command "cmd.exe /c echo test > c:\\test" (please consider the link one line):
https://SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+test+%3E+ c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127.0.0.1& 0lp=8080&0hm=&0rh=10.10.10.10&0rp=80&sslEnabled=on&start=Start...
Nortel SSL VPN 220.127.116.11
According to vendor, a patch for this vulnerability has been incorporated into maintainence release v5.1.5 of its VPN Gateway.
vendor notified: 2005-05-30 vendor response: 2005-06-21 patch available: 2005-11-15 public disclos.: 2006-12-12
We would like to apologize in advance for potential nonconformities and/or known issues.
This advisory can also be found online at http://www.sec-consult.com/247.html.
SEC Consult conducts periodical information security workshops on ISO 27001/BS 7799 in cooperation with BSI Management Systems. For more information, please refer to http://www.sec-consult.com/236.html
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH
Office Vienna Blindengasse 3 A-1080 Wien Austria
Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 15 Mail: office at sec-consult dot com www.sec-consult.com
EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com