rt-sa-2007-001.txt

`Advisory: Alcatel-Lucent OmniPCX Remote Command Execution  
  
RedTeam Pentesting discovered a remote command execution in the  
Alcatel-Lucent OmniPCX during a penetration test. The masterCGI script  
of the OmniPXC integrated communication solution web interface is  
vulnerable to a remote command execution. Attackers can run arbitrary  
commands with the permissions of the web application user.  
  
  
Details  
=======  
  
Product: Alcatel-Lucent OmniPCX  
Affected Versions: All versions up to and including R7.1  
Fixed Versions: All supported versions  
Vulnerability Type: Remote Command Execution  
Security-Risk: high  
Vendor-URL: http://www1.alcatel-lucent.com/psirt/statements.htm  
reference number 2007002  
Vendor-Status: Informed, patch available  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php  
Advisory-Status: public  
CVE: CVE-2007-3010  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3010  
  
  
Introduction  
============  
  
"The OmniPCX Enterprise is an integrated communications solution for  
medium-sized businesses and large corporations. It combines the best of  
the old (legacy TDM phone connectivity) with the new (a native IP  
platform and support for Session Initiation Protocol, or SIP) to provide  
an effective and complete communications solution for cost-conscious  
companies on the cutting edge."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The OmniPCX web interface has a CGI script "masterCGI" which offers a  
"ping" functionality. By running the script with the parameters "ping"  
and "user", one is able to ping any IP address reachable from the server  
the webinterface is running on.  
  
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=127.0.0.1"  
  
The ping will be done on the server, running the ping program installed  
on it. The vulnerability lies in the "user" variable not being filtered  
when passed to the shell. Thus, arbitrary commands can be executed on  
the server by adding them to the user variable, separated by semicolons.  
Spaces have to be encoded by using the internal field separator ${IFS},  
as any normal or URL encoded space will abort the command execution.  
  
  
Proof of Concept  
================  
  
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"  
  
  
Workaround  
==========  
  
Deactivate the Web server at the loss of some functionality not related  
to telephony service. Interpose a firewall allowing access to the web  
interface of the OXE to IP addresses who should have access to the  
server (e.g. maintenance technicians).  
  
  
Fix  
===  
  
Correct filtering of shell meta-characters and tighter access control  
have been implemented in all supported versions.  
  
  
Security Risk  
=============  
  
The risk of this vulnerability is high. Any user which has access to the  
web interface of the OmniPCX Enterprise solution will be able to execute  
arbitrary commands on the server with the permissions of the webserver.  
  
  
History  
=======  
  
2007-05-07 First contact with head of technical staff of Alcatel-Lucent.   
Will relay the information to their technicians and call back   
with further information.  
2007-05-09 Response with a pointer to the Alcatel-Lucent PSIRT and the  
website http://www1.alcatel-lucent.com/psirt, where the  
process of reporting a security vulnerability is explained.  
The advisory gets mailed to the email address provided there.  
2007-05-10 Advisory gets acknowledged by the PSIRT  
2007-05-23 Vulnerability gets confirmed by Alcatel-Lucent  
2007-06-18 CVE number assigned  
2007-09-17 Coordinated public release with Alcatel-Lucent  
  
  
References  
==========  
  
http://www1.alcatel-lucent.com/psirt/statements.htm  
reference number 2007002  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`