SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   IP3 NetAccess Vendors:   Second Rule LLC
IP3 NetAccess Missing Input Validation in 'getfile.cgi' Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1017623
SecurityTracker URL:  http://securitytracker.com/id/1017623
CVE Reference:   CVE-2007-0883   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Feb 12 2007
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.1.9.6
Description:   A vulnerability was reported in IP3 NetAccess. A remote user can view files on the target system.

The 'getfile.cgi' script does not properly validate user-supplied input in the 'filename' parameter. A remote user can supply a specially crafted request to view files on target system that are located outside of the document directory.

A demonstration exploit URL is provided:

http://[target]/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow

The vendor was notified on December 31, 2006.

Sebastian Wolfgarten reported this vulnerability.

The original advisory is available at:

http://www.devtarget.org/ip3-advisory-02-2007.txt

Impact:   A remote user can view files on the target system.
Solution:   The vendor has issued a fixed version (4.1.9.6).
Vendor URL:  www.ip3.com/poverview.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Sun, 11 Feb 2007 22:41:15 +0100
Subject:  [Full-disclosure] Arbitrary file disclosure vulnerability in IP3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I - TITLE

Security advisory: Arbitrary file disclosure vulnerability in
                   IP3 NetAccess leads to full system compromise

II - SUMMARY

Description: Arbitrary file disclosure vulnerability in IP3 NetAccess
             leads to full system compromise

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)

Date: February 11th, 2007

Severity: High

References: http://www.devtarget.org/ip3-advisory-02-2007.txt

III - OVERVIEW

IP3's NetAccess is a device created for high demand environments such as
convention centers or hotels. It handles the Internet access and
provides for instance firewalling, billing, rate-limiting as well as
various authentication mechanisms. The device is administrated via SSH
or a web-based GUI. Further information about the product can be found
online at http://www.ip3.com/poverview.htm.

IV - DETAILS

Due to inproper input validation, all NetAccess devices with a firmware
version less than 4.1.9.6 are vulnerable to an arbitrary file disclosure
vulnerability. This vulnerability allows an unauthenticated remote
attacker to abuse the web interface and read any file on the remote
system. Due to the fact that important system files are world-readable
(see bid #17698), this does include /etc/shadow and thus leads to a full
compromise of the device! In addition an attacker is able to gain access
to the proprietary code base of the device and potentially identify as
well as exploit other (yet unknown) vulnerabilities.

V - EXPLOIT CODE

The trivial vulnerability can be exploited by accessing the file
"getfile.cgi" with a relative file path such as

http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow

As the input to the "filename" parameter is not properly validated
accessing this URL will disclose the contents of /etc/shadow to a remote
attacker.

VI - WORKAROUND/FIX

To address this problem, the vendor has released a new firmware version
(4.1.9.6) which is available at http://www.ip3.com. Hence all users of
IP3's NetAccess devices are asked to install this version immediately.

As a temporary workaround, one may also limit the accessibility of the
web interface of the device to authorized personnel only. Nevertheless
contacting the vendor and installing the new firmware version is highly
recommended!

VII - DISCLOSURE TIMELINE

31. December 2006 - Notified vendor
31. December 2006 - Vulnerability confirmed
17. January 2007 - Patch released
11. February 2007 - Public disclosure

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFz417d8QFWG1Rza8RAlGdAKCgbw/HBweXPlDQW+T8A7JAagrPWQCeKetH
EJAG2aGxvYbSTMH/n6Sd9sc=
=nMqJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC