==================================================
Layered Defense Research Advisory 12 August 2008

1) Affected Product
Alcatel-Lucent OmniSwitch products
OS7000
OS6600
OS6800
OS6850
OS9000

2) Severity Rating:
critical
Impact: Remotely exploitable without authentication.

3) Description of Vulnerability
A stack based buffer overflow was discovered within Alcatel OmniSwitch product line.
This buffer overflow was discovered within the Agranet-Emweb embedded management web server and can be exploited
remotely without user authentication.
The vulnerability can be triggered on a 6200-24 running AOS Version 5.4.1.396.R01 by sending 2392 bytes in the http
header “Cookie: Session=” This appears to overwrite a return address on the stack giving the attacker control of the
instruction pointer. The amount of bytes needed to trigger the overflow varies between AOS versions.

4) Solution
Fix:

1. Install AOS upgrades as recommended by Vendor
2. Disable Web services on OmniSwitch products
   ==================================================
   5) Time Table:
   05/21/2008 Reported Vulnerability to Vendor.
   06/27/2008 Vendor acknowledged the vulnerability
   08/06/2008 Vendor published hot fix
   ==================================================
   6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
   ==================================================
   7) Reference
   http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm
   https://wws.cert-ist.com/fast-cgi/AV/Details.cgi?lang=eng&action=1&format=3&ref=CERT-IST/AV-2008.333
   ==================================================
   8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical
   Research, Testing and Training within the information security arena. http://www.layereddefense.com
   ==================================================