Nortel Contivity File Viewing, variant one


Nortel Contivity Extranet Switches on VxWorks


Bugtraq: 938
CVE: CVE-2000-0063


Input validation error


Unauthorized file access




COMMAND Nortel's switches

SYSTEMS AFFECTED Nortel's new Contivity seris extranet switches

PROBLEM John Daniele found following. Nortel's new Contivity seris extranet switches give administrators the ability to enable a small HTTP server and use Nortel's web based administration utility to handle configuration and maitenance. The server runs atop the VxWorks operating system and is located in the directory /system/manage. A CGI application, /system/manage/cgi/cgiproc that is used to display the administration html pages does not properly authenticate users prior to processing requests. An intruder can view any file on the switch without logging in. Method of exploitation? Pretty much a no brainer:

http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) The only entry found in the event/security logs after exploitation is this:

09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login

Also, this same application does not properly escape metacharacters such as '$', '!', resulting in total system crash:


Nothing is found in the security/event logs after reboot. This was tested on a Contivity 2500 running version 2.6 of the VxWorks OS. However, the cgiproc application has been (guess) part of the package since their initial release, therefore earlier versions may also be affected.

SOLUTION Nortelwas contacted and opened a case (CR# 118887 - cgiproc 'bug', CR# 118890 - DoS). A patch has been developed and is scheduled to be released with their next shipment of the VxWorks package. Those administrators that have properly configured the switch, and placed adequate access control/filtering rules on the managemnt virtual ip should not have any immediate concerns.

Attack string

GET /manage/cgi/cgiproc?Nocfile=/system/keys HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)
Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
Accept-Language: en

Attack program source

None available.