VAR-200001-0040
Vulnerability from variot - Updated: 2023-12-18 12:24cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. The Contivity series is an external network switch product developed by Nortel. The newer Contivity switch includes an httpd server running on the VxWorks operating system to provide a remote Web-based management interface.
A vulnerability exists in the "cgiproc" script implementation of the Web management interface of the Contivity series switches. A remote attacker could use this vulnerability to conduct a denial of service attack on the switch or view arbitrary system files.
Because the user input is not sufficiently filtered, if you pass metacharacters to the cgiporc program, such as "!" Or "$", the system will crash. Another vulnerability of cgiproc is the lack of authentication when requesting a management page. This enables an attacker to view any file in the web server. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called "cgiproc" that is included with the webserver. If metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped). foo foo@blacklisted.intranova.net provided the following example: http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. foo foo@blacklisted.intranova.net also provided an example for this vulnerability: http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login In order to perform the operations detailed in the report, the "attackers" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200001-0040",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "contivity",
"scope": "eq",
"trust": 1.6,
"vendor": "nortel",
"version": "1.0"
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "none",
"version": null
},
{
"model": "networks contivity extranet switch",
"scope": "eq",
"trust": 0.3,
"vendor": "nortel",
"version": "2500"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"db": "BID",
"id": "938"
},
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:nortel:contivity:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0063"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "foo foo@blacklisted.intranova.net",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
],
"trust": 0.6
},
"cve": "CVE-2000-0063",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "663d977a-2079-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-1642",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2000-0063",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200001-039",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-1642",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-1642"
},
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. The Contivity series is an external network switch product developed by Nortel. The newer Contivity switch includes an httpd server running on the VxWorks operating system to provide a remote Web-based management interface. \n\n\u00a0A vulnerability exists in the \"cgiproc\" script implementation of the Web management interface of the Contivity series switches. A remote attacker could use this vulnerability to conduct a denial of service attack on the switch or view arbitrary system files. \n\n\u00a0Because the user input is not sufficiently filtered, if you pass metacharacters to the cgiporc program, such as \"!\" Or \"$\", the system will crash. Another vulnerability of cgiproc is the lack of authentication when requesting a management page. This enables an attacker to view any file in the web server. A total system crash can occur as a result of exploiting a vulnerability in a cgi-bin program called \"cgiproc\" that is included with the webserver. If metacharacters such as \"!\", or \"$\" are passed to cgiproc, the system will crash (because the characters are not escaped). \nfoo \u003cfoo@blacklisted.intranova.net\u003e provided the following example:\nhttp://x.x.x.x/manage/cgi/cgiproc?$\n[crash]\nNo evidence of this problem being exploited is saved in the logs. \nfoo \u003cfoo@blacklisted.intranova.net\u003e also provided an example for this vulnerability:\nhttp://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. \n(interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.)\nAll that is written to the logs when this is exploited is below:\n09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login\nIn order to perform the operations detailed in the report, the \"attackers\" must be internal, private side users or authenticated tunnel users and the site administrator must allow them HTTP as a management protocol",
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"db": "BID",
"id": "938"
},
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-1642"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2000-0063",
"trust": 2.7
},
{
"db": "BID",
"id": "938",
"trust": 2.0
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039",
"trust": 1.1
},
{
"db": "CNVD",
"id": "CNVD-2001-0323",
"trust": 1.0
},
{
"db": "NSFOCUS",
"id": "257",
"trust": 0.6
},
{
"db": "IVD",
"id": "7D77FBD3-463F-11E9-88DF-000C29342CB1",
"trust": 0.2
},
{
"db": "IVD",
"id": "663D977A-2079-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-1642",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"db": "VULHUB",
"id": "VHN-1642"
},
{
"db": "BID",
"id": "938"
},
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"id": "VAR-200001-0040",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"db": "VULHUB",
"id": "VHN-1642"
}
],
"trust": 0.11000000000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.0
}
],
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
}
]
},
"last_update_date": "2023-12-18T12:24:53.996000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0063"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/938"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/257"
},
{
"trust": 0.3,
"url": "http://www.nortelnetworks.com/products/01/contivity/index.html"
},
{
"trust": 0.1,
"url": ""
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-1642"
},
{
"db": "BID",
"id": "938"
},
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"db": "VULHUB",
"id": "VHN-1642"
},
{
"db": "BID",
"id": "938"
},
{
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-01-19T00:00:00",
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"date": "2001-01-19T00:00:00",
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"date": "2001-01-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"date": "2000-01-17T00:00:00",
"db": "VULHUB",
"id": "VHN-1642"
},
{
"date": "2000-01-18T00:00:00",
"db": "BID",
"id": "938"
},
{
"date": "2000-01-17T05:00:00",
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"date": "2000-01-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-01-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2001-0323"
},
{
"date": "2008-09-10T00:00:00",
"db": "VULHUB",
"id": "VHN-1642"
},
{
"date": "2000-01-18T00:00:00",
"db": "BID",
"id": "938"
},
{
"date": "2008-09-10T19:02:41.913000",
"db": "NVD",
"id": "CVE-2000-0063"
},
{
"date": "2006-08-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nortel Contivity Switch Remote Denial of Service Attack and File Leak Vulnerability",
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2001-0323"
}
],
"trust": 1.0
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "IVD",
"id": "7d77fbd3-463f-11e9-88df-000c29342cb1"
},
{
"db": "IVD",
"id": "663d977a-2079-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-200001-039"
}
],
"trust": 1.0
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…