[VulnWatch] Cyclades AlterPath Manager Vulnerabilities

From: Sullo (sullo@private)
Date: Wed Feb 23 2005 - 20:31:17 PST


The Cyclades AlterPath Manager (APM) Console Server is sold to "perform secure
remote management of IT assets from anywhere in the world."  It provides
individual user logins, and allows the APM administrator to restrict users to
specific consoles. However, a basic review of the APM management web interface
revealed design flaws that could expose restricted consoles to unauthorized APM
users, allow any APM user to obtain administrative privileges, and provide
detailed system information to unauthorized users.

Vendor:  http://www.cyclades.com/
Product: AlterPath Manager (APM)
Version: 1.2.1

Details:
1) OSVDB-14073: Cyclades AlterPath Manager Information Disclosure
The APM web interface reveals the following information: Boot Version, Kernel
Version, Config Version, OS Version, AP Version, and Hardware information. This
information could be valuable to attackers, and is available on the web
interface on the /about.html web page without authentication.
   - Reference: http://www.cirt.net/advisories/alterpath_disclosure.shtml
   - Reference:  http://www.osvdb.org/14073

2) OSVDB-14075: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console
Connection
Access restrictions in the APM prevent users from seeing consoles they are no
allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and the
page is loaded, the user will be taken directly to the console. Substitute
"console_name" with the system’s console  name (as defined in the APM).
	- Example URL: /usermode/consoleConnect.jsp?consolename=console_name
	- Reference: http://www.cirt.net/advisories/alterpath_console.shtml
	- Reference: http://www.osvdb.org/14075

3) OSVDB-14074: Cyclades AlterPath Manager saveUser.do Privilege Escalation
Any authorized user of the APM web interface can grant themselves administrator
access. When saveUser.do is called, it does not confirm the user has access to
modify their own (or other user’s) privileges. By changing the adminUser value
to "true" in the save user program’s URL, the user account will be saved and
granted administrative privileges.
In the URL below, replace my_id, My+name, email and other user information as
desired. Set the adminuser equal to "true" to grant escalated privileges to the
user identified by userID (userID is an internal Cyclades identifier--it can be
found in certain APM URLs or HTML pages).
	- Example URL:
/application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager=
&email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save
	- Reference: http://www.cirt.net/advisories/alterpath_privesc.shtml
	- Reference: http://www.osvdb.org/14074

Resolution:
The Cyclades APM software version 1.2.5 will address these issues when released.



-- 
http://www.cirt.net/      |     http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 08:03:43 PST