Cyclades AlterPath Manager Privilege Escalation

Product:
AlterPath Manager (APM) Console Server

Released:
01/23/2005

Description:
AlterPath Manager (APM) allows any connected user grant themselves administrator access.

Systems Affected:
AlterPath Manager 1.1.0 and below

Technical Description:
Any authorized user of the APM 1.1.0 web interface can grant themselves administrator access. When saveUser.do is called, it does not confirm the user has access to modify user accounts. By changing the adminUser value to "true", their user account can be saved and granted administrative privleges.

In the URL below, replace my_id, My+name, email and other user information as desired. Set the adminuser equal to "true" to grant escalated privileges--this will grant the user identified by userID (userID is an internal Cyclades identifier--it can be found in certain APM URLs or HTML pages):

  • /application/saveUser.do?userId=9&password=&userName=my_id&fullName=My+name&department=Security&location=Work&phone=555-1212&mobile=&pager=
    &email=test%40example.com&status=Enable&localPassword=true&adminUser=true&forward=&action=Save

Fix/Workaround:
Upgrade to version 1.2.0 or higher.

Vendor Status:

  • Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
  • Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
  • Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
  • Released on 2/23/2005.
  • Cyclades responded on 2/25/2005 to clear up version information.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-14074Cyclades AlterPath Manager Privilege Escalation

Updates:

  • Advisory listed 1.2.0 as vulnerable, which was incorrect. This was fixed as of APM version 1.2.0.
Vulnerabilities: