A stack based buffer overflow was discovered within Alcatel OmniSwitch product line.
This buffer overflow was discovered within the Agranet-Emweb embedded management web server and can be exploited remotely without user authentication.
The vulnerability can be triggered on a 6200-24 running AOS Version 5.4.1.396.R01 by sending 2392 bytes in the http header ?Cookie: Session=? This appears to overwrite a return address on the stack giving the attacker control of the instruction pointer. The amount of bytes needed to trigger the overflow varies between AOS versions.
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
Layered Defense Research Advisory 12 August 2008
==================================================
1) Affected Product
Alcatel-Lucent OmniSwitch products
OS7000
OS6600
OS6800
OS6850
OS9000
==================================================
2) Severity Rating:
critical
Impact: Remotely exploitable without authentication.
==================================================
3) Description of Vulnerability
A stack based buffer overflow was discovered within Alcatel OmniSwitch product line.
This buffer overflow was discovered within the Agranet-Emweb embedded management web server and can be exploited remotely without user authentication.
The vulnerability can be triggered on a 6200-24 running AOS Version 5.4.1.396.R01 by sending 2392 bytes in the http header ?Cookie: Session=? This appears to overwrite a return address on the stack giving the attacker control of the instruction pointer. The amount of bytes needed to trigger the overflow varies between AOS versions.
==================================================
4) Solution
Fix:
1. Install AOS upgrades as recommended by Vendor
2. Disable Web services on OmniSwitch products
==================================================
5) Time Table:
05/21/2008 Reported Vulnerability to Vendor.
06/27/2008 Vendor acknowledged the vulnerability
08/06/2008 Vendor published hot fix
==================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
==================================================
7) Reference
http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm
https://wws.cert-ist.com/fast-cgi/AV/Details.cgi?lang=eng&action=1&forma
t=3&ref=CERT-IST/AV-2008.333
==================================================
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
==================================================
[ reply ]