Alcatel-Lucent OmniPCX Remote Command Execution

Advisory: Alcatel-Lucent OmniPCX Remote Command Execution

RedTeam Pentesting discovered a remote command execution in the Alcatel-Lucent OmniPCX during a penetration test. The masterCGI script of the OmniPXC integrated communication solution web interface is vulnerable to a remote command execution. Attackers can run arbitrary commands with the permissions of the web application user.

Details

Product: Alcatel-Lucent OmniPCX
Affected Versions: All versions up to and including R7.1 Fixed Versions: All supported versions
Vulnerability Type: Remote Command Execution Security-Risk: high
Vendor-URL: http://www1.alcatel-lucent.com/psirt/statements.htm

            reference number 2007002
Vendor-Status: Informed, patch available

Advisory-URL: 
http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php
Advisory-Status: public
CVE: CVE-2007-3010

Introduction

"The OmniPCX Enterprise is an integrated communications solution for
medium-sized businesses and large corporations. It combines the best of the old (legacy TDM phone connectivity) with the new (a native IP platform and support for Session Initiation Protocol, or SIP) to provide an effective and complete communications solution for cost-conscious companies on the cutting edge."

(from the vendor's homepage)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

More Details

The OmniPCX web interface has a CGI script "masterCGI" which offers a
"ping" functionality. By running the script with the parameters "ping"
and "user", one is able to ping any IP address reachable from the server the webinterface is running on.

curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=127.0.0.1"

The ping will be done on the server, running the ping program installed on it. The vulnerability lies in the "user" variable not being filtered when passed to the shell. Thus, arbitrary commands can be executed on the server by adding them to the user variable, separated by semicolons. Spaces have to be encoded by using the internal field separator ${IFS}, as any normal or URL encoded space will abort the command execution.

Proof of Concept

curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"

Workaround

Deactivate the Web server at the loss of some functionality not related to telephony service. Interpose a firewall allowing access to the web interface of the OXE to IP addresses who should have access to the server (e.g. maintenance technicians).

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Fix
===

Correct filtering of shell meta-characters and tighter access control have been implemented in all supported versions.

Security Risk

The risk of this vulnerability is high. Any user which has access to the web interface of the OmniPCX Enterprise solution will be able to execute arbitrary commands on the server with the permissions of the webserver.

History

2007-05-07 First contact with head of technical staff of Alcatel-Lucent.

           Will relay the information to their technicians and call back 
           with further information.
2007-05-09 Response with a pointer to the Alcatel-Lucent PSIRT and the
           website 
http://www1.alcatel-lucent.com/psirt, where the
           process of reporting a security vulnerability is explained.
           The advisory gets mailed to the email address provided there.
2007-05-10 Advisory gets acknowledged by the PSIRT
2007-05-23 Vulnerability gets confirmed by Alcatel-Lucent

References

http://www1.alcatel-lucent.com/psirt/statements.htm reference number 2007002

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

RedTeam Pentesting GmbH

RedTeam Pentesting is offering individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    
http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck


application/pgp-signature attachment: Digital signature