Multiple Vulnerabilities in the Adtran Netvanta 7100 Impact: Multiple Local and Remote Compromise, XSS and other Injection Attacks Version(s): firmware prior to R10.5.3.HA Author: J. Oquendo (joquendo at e-fensive dot net)
Title: Multiple Vulnerabilities in Adtran Netvanta 7100 Date published: 2013-09-18 Vendor contacted in 2011
CVE-2013-5210 Remote Code Injection via XSS
The Adtran Netvanta 7100 (NV7100) is an "Office in a Box" appliance offering data and VoIP services on a single platform. In October 2011, I discovered there were some vulnerabilities in the platform and contacted the vendor. The initial disclosure revolved primarily around cross site scripting attacks, where via crafted URIs an attacker would have been able to trick users into performing a variety of attacks, local to the users machine, or, if given enough privileges, re-directed back to the NV7100. After disclosing the issue, Adtran began fixing up these initial issues however, in parallel, I then found others which were similar in nature, but affecting other areas of the NV7100.
For a description of XSS, injection attacks, authentication bypass, please see OWASP material on this subject.
The NV7100's main issue (and the reason for the LONG release of a patch) revolved around userapp/loginAction.html where an attacker was able to inject code regardless of authenticating. In the initial report, there was some miscommunication on my behalf, as well as some vendor misinterpretation of what was occurring. An attacker DOES NOT NEED credentials to pull off a successful attack and no POC code will be made publicly available to demonstrate. The vendor was given a video that illustrated the who, what, when, where and why.
Adtran released a firmware update, and advisory of their own to resolve this issue however, in the interim, these appliances should NEVER face the public internet, and should be isolated via VLANs or firewalls to minimize abuse.
IV. TOOLS USED
Wikto, Burpsuite, WVS, perl kung fu, Firefox
This was reported in 2011 and throughout the past two years, Adtran has been fixing the issues I have been coming across. Initially, the advisory began with over 52 different means of attacks and over the course of two years, Adtran has diligently addressed each and every vulnerability, as recently as August 2013. While I would have preferred placing a timeline, the reality is, two years is a long time to go back and forth with a vendor on security issues.
There was also an SSL renegotation issue that was discovered and addressed during the process of sorting out the XSS issues.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF