Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Cyclades AlterPath Manager Vulnerabilities

from [Sullo] Network Security [Permanent Link]
Subject: [Full-Disclosure] Cyclades AlterPath Manager Vulnerabilities
Date: Wed, 23 Feb 2005 23:31:17 -0500 
The Cyclades AlterPath Manager (APM) Console Server is sold to "perform secure
remote management of IT assets from anywhere in the world."  It provides
individual user logins, and allows the APM administrator to restrict users to
specific consoles. However, a basic review of the APM management web interface
revealed design flaws that could expose restricted consoles to unauthorized APM
users, allow any APM user to obtain administrative privileges, and provide
detailed system information to unauthorized users.

Vendor:  http://www.cyclades.com/
Product: AlterPath Manager (APM)
Version: 1.2.1

Details:
1) OSVDB-14073: Cyclades AlterPath Manager Information Disclosure
The APM web interface reveals the following information: Boot Version, Kernel
Version, Config Version, OS Version, AP Version, and Hardware information. This
information could be valuable to attackers, and is available on the web
interface on the /about.html web page without authentication.
   - Reference: http://www.cirt.net/advisories/alterpath_disclosure.shtml
   - Reference:  http://www.osvdb.org/14073

2) OSVDB-14075: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console
Connection
Access restrictions in the APM prevent users from seeing consoles they are no
allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and the
page is loaded, the user will be taken directly to the console. Substitute
"console_name" with the system?s console  name (as defined in the APM).
        - Example URL: /usermode/consoleConnect.jsp?consolename=console_name
        - Reference: http://www.cirt.net/advisories/alterpath_console.shtml
        - Reference: http://www.osvdb.org/14075

3) OSVDB-14074: Cyclades AlterPath Manager saveUser.do Privilege Escalation
Any authorized user of the APM web interface can grant themselves administrator
access. When saveUser.do is called, it does not confirm the user has access to
modify their own (or other user?s) privileges. By changing the adminUser value
to "true" in the save user program?s URL, the user account will be saved and
granted administrative privileges.
In the URL below, replace my_id, My+name, email and other user information as
desired. Set the adminuser equal to "true" to grant escalated privileges to the
user identified by userID (userID is an internal Cyclades identifier--it can be
found in certain APM URLs or HTML pages).
        - Example URL:
/application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager=
&email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save
        - Reference: http://www.cirt.net/advisories/alterpath_privesc.shtml
        - Reference: http://www.osvdb.org/14074

Resolution:
The Cyclades APM software version 1.2.5 will address these issues when released.



-- 
http://www.cirt.net/      |     http://www.osvdb.org/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Cyclades AlterPath Manager Vulnerabilities, Sullo <=
Previous by Date:  [Full-Disclosure] Robustness patch for TWiki, vulnerability in ImageGalleryPlugin, Florian Weimer
Next by Date:  iDEFENSE Security Advisory 02.23.05: Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability, iDEFENSE Labs
Previous by Thread:  [Full-Disclosure] Robustness patch for TWiki, vulnerability in ImageGalleryPlugin, Florian Weimer
Next by Thread:  iDEFENSE Security Advisory 02.23.05: Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability, iDEFENSE Labs
Indexes:  [Date] [Thread] [Top] [All Lists]