ZyWALL USG Appliance Access Bypass

2011-05-04T00:00:00
ID PACKETSTORM:101124
Type packetstorm
Reporter redteam-pentesting.de
Modified 2011-05-04T00:00:00

Description

                                        
                                            `Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web  
Interface  
  
The ZyXEL ZyWALL USG appliances perform parts of the authorization for  
their management web interface on the client side using JavaScript. By  
setting the JavaScript variable "isAdmin" to "true", a user with limited  
access gets full access to the web interface.  
  
  
Details  
=======  
  
Product: ZyXEL USG (Unified Security Gateway) appliances  
ZyWALL USG-20  
ZyWALL USG-20W  
ZyWALL USG-50  
ZyWALL USG-100  
ZyWALL USG-200  
ZyWALL USG-300  
ZyWALL USG-1000  
ZyWALL USG-1050  
ZyWALL USG-2000  
Possibly other ZLD-based products  
Affected Versions: Firmware Releases before April 25, 2011  
Fixed Versions: Firmware Releases from or after April 25, 2011  
Vulnerability Type: Client Side Authorization  
Security Risk: medium  
Vendor URL: http://www.zyxel.com/  
Vendor Status: fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
``The ZyWALL USG (Unified Security Gateway) Series is the "third  
generation" ZyWALL featuring an all-new platform. It provides greater  
performance protection, as well as a deep packet inspection security  
solution for small businesses to enterprises alike. It embodies a  
Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion  
Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN  
(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your  
organization's customer and company records, intellectual property, and  
critical resources from external and internal threats.''  
  
(From the vendor's homepage)  
  
  
More Details  
============  
  
Users with the role "limited-admin" are allowed to log into the  
web-based administrative interface and configure some aspects of a  
ZyWALL USG appliance. It is usually not possible to download the current  
configuration file, as this includes the password-hashes of all users.  
When the "download" button in the File Manager part of the web interface  
is pressed, a JavaScript dialogue window informs the user that this  
operation is not allowed. However, setting the JavaScript variable  
"isAdmin" to "true" (e.g. by using the JavaScript console of the  
"Firebug" extension for the Firefox web browser) disables this check and  
lets the user download the desired configuration file. It is also  
possible to directly open the URL that downloads the configuration file.  
The appliances do not check the users' permissions on the server side.  
  
  
Proof of Concept  
================  
  
After logging into the web interface, set the local JavaScript variable  
"isAdmin" to "true" and use the File Manager to download configuration  
files. Alternatively, the current configuration file (including the  
password hashes) can also be downloaded directly by accessing the  
following URL:  
  
https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf  
  
  
Workaround  
==========  
  
If possible, disable the web-based administrative interface or ensure  
otherwise that the interface is not exposed to attackers.  
  
  
Fix  
===  
  
Upgrade to a firmware released on or after April 25, 2011.  
  
  
Security Risk  
=============  
  
This vulnerability enables users of the role "limited-admin" to access  
configuration files with potentially sensitive information (like the  
password hashes of all other users). The risk of this vulnerability is  
estimated as medium.  
  
  
History  
=======  
  
2011-03-07 Vulnerability identified  
2011-04-06 Customer approved disclosure to vendor  
2011-04-07 Vendor notified  
2011-04-08 Meeting with vendor  
2011-04-15 Vulnerability fixed by vendor  
2011-04-18 Test appliance and beta firmware supplied to  
RedTeam Pentesting, fix verified  
2011-04-25 Vendor released new firmwares with fix  
2011-04-29 Vendor confirms that other ZLD-based devices may also be  
affected  
2011-05-04 Advisory released  
  
RedTeam Pentesting likes to thank ZyXEL for the fast response and  
professional collaboration.  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`