Nortel SSL VPN Cross Site Scripting/Command

SEC-CONSULT Security Advisory 20051212-0

==========================================================================

title: Nortel SSL VPN Cross Site Scripting/Command

Execution

program: Nortel SSL VPN

vulnerable version: 4.2.1.6

homepage: www.nortel.com

found: 2005-05-30

by: Daniel Fabian / SEC-CONSULT / www.sec-consult.com

==========================================================================

 

Product Description:

---------------

 

The Nortel SSL VPN is a remote access security solution. By using secure

sockets layer (SSL) as the underlying security protocol, Nortel SSL VPN

allows for using the Internet for remote connectivity and the ubiquitous

Web browser as the primary client interface.

 

 

Vulnerabilty overview:

---------------

 

Due to insufficient input validation within the appliance's web interface,

it is possible for an attacker to supply his victim with a malicious link

that results in code execution on the victim's client. The problem has

been reproduced with version 4.2.1.6, however other versions might be

vulnerable as well.

 

 

Vulnerability details:

---------------

 

Due to insufficient input validation within the web interface of Nortel's

SSL VPN appliance, it is possible to hide commands in links to certain

pages of the web interface. As the Java Applet which is called from those

web pages is cryptographically signed, it may execute operating system

commands with the priviledges of the user sitting in front of the browser.

 

An attacker can thus supply his victim with a malicious link where

commands are hidden. If the victim clicks on the link and logs onto the

SSL VPN web interface (where it is automatically taken), arbitrary

commands are executed locally on the client of the victim.

 

Here is an example for a crafted link that executes the command "cmd.exe

/c echo test > c:\\test" (please consider the link one line):

---cut here---
 
https:// SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+test+%3E+
c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127.0.0.1&
0lp=8080&0hm=&0rh=10.10.10.10&0rp=80&sslEnabled=on&start=Start...

---cut here---

 

 

Vulnerable versions:

---------------

 

Nortel SSL VPN 4.2.1.6

 

 

Patch Status

---------------

 

According to vendor, a patch for this vulnerability has been incorporated

into maintainence release v5.1.5 of its VPN Gateway.

 

 

Vendor status:

---------------

vendor notified: 2005-05-30

vendor response: 2005-06-21

patch available: 2005-11-15

public disclos.: 2005-12-12

 

 

General remarks

---------------

 

We would like to apologize in advance for potential nonconformities and/or

known issues.

 

SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems.

 

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 15

Mail: office at sec-consult dot com

www.sec-consult.com

 

EOF Daniel Fabian / @2005

d.fabian at sec-consult dot com