Nortel Application Gateway 2000 Password

SEC Consult Security Advisory < 20090415-1 >

==========================================================================

title: Nortel Application Gateway 2000 Password

Disclosure Vulnerability

program: Nortel Application Gateway 2000

vulnerable version: 6.3.1 and prior

homepage: www.nortel.com/ag2000

found: 2008-11-14

by: David Matscheko / SEC Consult / www.sec-consult.com

==========================================================================

 

Vendor description:

-------------------

 

The Application Gateway delivers practical, converged voice and data applications on Nortel IP phones that enable organizations to benefit more fully from IP telephony. The prepackaged, easy-to-learn, easy-to-use Voice Office applications help increase productivity and enhance organizational communications - without requiring any integration work. For the hospitality sector, the Guest Services applications provide additional services/features, generate revenue from advertising on the phone screen, and reduce the cost of operations by enabling guests to self serve. Custom development tools are also available to end customers for delivery of customized content to IP phones.

 

[source: www.nortel.com/ag2000]

 

 

Vulnerability overview:

-----------------------

 

The Nortel Application Gateway provides an administration interface "Nortel Administration Tool powered by Citrix". This interface responds with sensitive information to unauthorized users.

 

 

Vulnerability description:

--------------------------

 

The "Nortel Administration Tool powered by Citrix" can be accessed under the URL "https://<server>:3001/". The subframe "https://<server>:3001/adminDownloads.htm" does not show any content in the browser view. However the HTML-source of this frame contains sensitive information like an administrative call server user account:

---
<div id="call_server_host" value="10.11.12.13"></div> [...]
<div id="call_server_telnet_port" value="23"></div> [...]
<div id="call_server_user" value="admin123"></div>
<div id="call_server_pwd" value="hugo123"></div>
---

 

 

Proof of concept:

-----------------

 

This vulnerability can be exploited with a web browser and plugins / web proxy.

 

 

Vendor contact timeline:

------------------------

 

January 2009: Vendor informed about vulnerability

2009-04-14: Patch available

 

 

Patch:

------

 

The vendor has released a vulnerability fix which addresses the issue. In addition, the vendor has released a public security advisory containing update instructions. URL:

 

support.nortel.com/go/main.jsp

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF SEC Consult Vulnerability Lab / @2009