|
Brought to you by:
Suppliers of:
|
|
|
| |
"The NexusWay is a Multiservice Border Gateway that provides the Multiaccess and Multiservice capabilities in the border segment of an enterprise network."
There are multiple vulnerabilities in Neteyes Nexusway, by exploiting these vulnerabilities malicious attacker can gain full control over the product. |
| |
Credit:
The information has been provided by pokley.
|
| |
Weak Authentication in Web Module:
By sending crafted HTTP cookies, any user with access to port 443 on Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway administrator. This will allow user to change any configuration on this device.
Example:
# curl -k -b 'cyclone500_write=1; cyclone500_auth=1; client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi
Escaping to Operating System Shell in SSH Module
User with access to SSH module may able to access Shell or execute any command as "root" privileges on Neteyes Nexusway by sending crafted argument in certain command. This will allow user to do anything on this device.
Example:
> ping ;sh
> traceroute ;sh
Command Execution in Web Module:
Any user with access to port 443 on Neteyes Nexusway is able to fully control Neteyes Nexusway device by sending special crafted packet to certain administration script. Web server is run as "root" on this devices.
Example:
https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat+/stand/htdocs/config/admin
https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test
Workaround:
Disable web based administration module.
|
|
|
|
|
