Hole in OmniPCX Enterprise communications software
Security service provider RedTeam Pentesting has found a hole in Alcatel Lucent's OmniPCX enterprise telecommunications solution. The Unified Maintenance Tool CGI script (used by the Web server for maintenance) allows arbitrary shell commands to be executed. The problem results from improper filtering of user variables: additional parameters separated by semicolons can be passed to the script and to the shell:
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"
All versions of OmniPCX Enterprise up to and including R 7.1 are affected. An update closes the hole. The vendor also recommends disabling the Web server, although then some nice-to-have functions are no longer available.
- Shell injection vulnerability in OmniPCX Enterprise, Alcatel-Lucent's security advisory
- Alcatel-Lucent OmniPCX Remote Command Execution, RedTeam's security advisory
(mba)