Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance
From: "Moonen, Ralph" <Moonen.Ralph@xxxxxxx>
Date: Mon, 24 Apr 2006 23:05:41 +0200
Cc: "Kornelisse, Peter" <Kornelisse.Peter@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcZnx36cRlePkC4ZQJi5ElZomWlymwAGd9Mg
Thread-topic: Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance

--------------------
Multiple vulnerabilities have been identified in IP3 Networks
'NetAccess' NA75 appliance. 
--------------------

KPMG recommends that owners of a NetAccess NA75 take steps to ensure the
security of the 
device, and that IP3 Networks is contacted to acquire the new firmware
that includes the 
patches for the issues described. IP3 Networks has requested that
customers contact IP3 
through http://www.ip3.com/supportoverview.htm.

Product:                NA75 and possibly others
Revision:               na-img-4.0.34.bin
Vendor Status:  notified, verified and patch available from 1 April 2006
Risk:                   High
Remote:         Yes
Local:          Yes

---------------------

ISSUE 1: Various SQL injection vulnerabilities in the HTTP user
interface
Due to the absence of user input validation, attackers can embed SQL
commands and queries 
into various HTTP forms. The impact of this is that attackers can login
into the unit by 
specifying username 'admin' and password ' OR "1=1';--. This issue has
been described in
 http://www.securityfocus.com/bid/9858 in 2004, and was reportedly fixed
by IP3 in firmware 
3.1.18b13. However, as can be seen from the above info, we have found
the vulnerability to 
be present in firmware 4.0.34. 

ISSUE 2: Unix command injection vulnerability in command line interface
Due to the absence of user input filtering in the command line
interface, attackers can 
embed Unix commands in certain parameters by passing the commands in the
unix shell 
substitution characters '`'.  

ISSUE 3: No mandatory default password change on first login
The default username and password 'admin'/'admin' do not have to be
changed at first 
login. This greatly increases the chance of the password remaining
'admin' after install. 

ISSUE 4: World readable shadow password file
The shadow password file contains the encrypted passwords for all users
on the system. 
Password crackers can be used on this file to obtain the plaintext
passwords for users.  

ISSUE 5: NetAccess database file world readable and writable
The permission settings on the NetAccess database file allow all unix
users read and 
write access to the file, thereby allowing potentially sensitive
customer information 
to be disclosed. 


Ralph Moonen, CISSP
Manager KPMG Information Risk Management
Amstelveen, The Netherlands


--------------------------------------------------------------------------------------------------------------------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend 
bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming 
hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is 
verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk 
van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht.
KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van 
elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt 
tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van 
elektronische berichten, onderschepping of manipulatie van elektronische 
berichten door derden of door programmatuur/apparatuur gebruikt voor 
elektronische communicatie en overbrenging van virussen en andere kwaadaardige 
programmatuur.

Any information transmitted by means of this e-mail (and any of its 
attachments) is intended exclusively for the addressee or addressees and for 
those authorized by the addressee or addressees to read this message. Any use 
by a party other than the addressee or addressees is prohibited. The 
information contained in this e-mail (or any of its attachments) may be 
confidential in nature and fall under a duty of non-disclosure.
KPMG shall not be liable for damages resulting from the use of electronic means 
of communication, including -but not limited to- damages resulting from failure 
or delay in delivery of electronic communications, interception or manipulation 
of electronic communications by third parties or by computer programs used for 
electronic communications and transmission of viruses and other malicious code.

--------------------------------------------------------------------------------------------------------------------------------------------

Prev by Date: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Next by Date: RE: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
Previous by thread: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Next by thread: Instant Photo Gallery <= Multiple XSS
Index(es):
- Date
- Thread