LevelOne AMG-2000 Wireless AP Proxy Bypass

2009-04-29T00:00:00
ID PACKETSTORM:77109
Type packetstorm
Reporter Johannes Greil
Modified 2009-04-29T00:00:00

Description

                                        
                                            `SEC Consult Security Advisory < 20090429-0 >  
=======================================================================  
title: Proxy bypass vulnerability & plain text passwords  
in LevelOne AMG-2000  
product: LevelOne AMG-2000 Wireless AP Management Gateway   
vulnerable version: Firmware <=2.00.00build00600   
impact: critical  
homepage: http://www.level1.com  
found: 2008-12-16  
by: J. Greil / SEC Consult / www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"LevelOne was established in 1991 in Dortmund, Germany by Digital Data  
Communications GmbH. By providing quality networking products and solutions,  
we've grown steadily throughout the years with Branch Offices in 20 countries  
around the world."  
  
"AMG-2000 is an AP Management Gateway dedicatedly designed for small to  
medium-sized network deployment and management, making it an ideal solution  
for easily creating and extending WLANs in SMB offices. With its user  
management features, administrators will be able to manage the whole process  
of wireless network access. In addition, Access Point (AP) management  
functions allow administrators to discover, configure, update, and monitor all  
managed APs from a single secured interface, and from there, gain full control  
of entire wireless network."  
  
  
Sources: http://global.level1.com/aboutus.php  
& AMG-2000 Manual v2.0, Jun-13-2007  
  
  
Vulnerability overview:  
-----------------------  
AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN  
or Internet, e.g. by supplying a username/password on the portal site (depends  
on how the system is configured, e.g. on-demand "guest" users or  
authentication via RADIUS, LDAP or NT domain). This built-in proxy is  
misconfigured which leads to the following vulnerability:  
  
1) An _authenticated_ WLAN guest user/attacker is able to access the  
restricted administration interface of the AMG-2000 with specially crafted  
HTTP requests. Furthermore an attacker is able to access the internal company  
network over the wireless network!  
  
  
2) The administration interface shows the passwords of all locally configured  
users (e.g. on-demand/guest users) and other sensitive settings in plain text.   
  
  
Vulnerability description:  
--------------------------  
1) An attacker is able to access the administration interface from the WLAN by  
manipulating the "Host:" header and Request-URI in the HTTP GET request to the  
proxy server running on the AMG-2000. It is possible to specify arbitrary IP  
addresses (such as 127.0.0.1 or IPs from the internal network of the  
management "private LAN" port) which an attacker is then able to access. The  
squid proxy runs on port 2128 by default on the AMG-2000.  
  
  
2) All passwords from local user accounts, such as on-demand guest users, are  
shown in plain text in the admin interface (e.g. also see manual screenshots).  
An attacker may gain access to the interface through weak default passwords  
that have been forgotten to be changed.  
  
The configured users are e.g. accessible/manageable via the default system  
accounts "operator" (pw: operator, on-demand users only) or "manager" (pw:  
manager, access to the whole user authentication area), hence an attacker  
doesn't necessarily need the admin password.  
  
An attacker may exploit those accounts to gain further access to the system  
and surf on the Internet on behalf of other users (e.g. ones without a time  
restriction) or create arbitrary WLAN users for later access.  
  
  
Proof of concept:  
-----------------  
1)  
* Example IP address of the AMG-2000 gateway: 192.168.0.1  
* E.g. use a local proxy such as burp to manipulate the request of the browser  
to the gateway or write your own scripts.  
  
a) HTTP request to access the administration interface login page from the  
WLAN:  
=================================  
GET http://127.0.0.1/ HTTP/1.1  
Host: 192.168.0.1:2128  
[...]  
=================================  
  
b) HTTP request to login to the admin interface with the user "manager":  
=================================  
POST http://127.0.0.1/check.shtml HTTP/1.1  
Host: 192.168.0.1:2128  
[...]  
  
username=manager&password=manager&Submit=ENTER  
=================================  
  
c) HTTP request to access other internal IP addresses configured on the  
private LAN port:  
=================================  
GET http://10.0.0.1/ HTTP/1.1  
Host: 192.168.0.1:2128  
[...]  
=================================  
  
  
2) Just try the default accounts (operator, manager) to access all passwords  
of all other local users.  
  
  
Vulnerable versions:  
--------------------  
The firmware versions  
* v2.00.00build00600 (latest available)  
* v1.01.01  
have been tested and they are vulnerable. It is assumed that all other  
versions are vulnerable too.  
  
  
Vendor contact timeline:  
------------------------  
2009-03-03: Asking support@ and security@level-one.de for a security contact,  
attaching the SEC Consult responsible disclosure document.  
I didn't find any reference to the security@ email address, it  
seems that it is not being used.  
http://global.level1.com/contactus.php  
http://www.level-one.de/impressum.php  
2009-03-10: Asking again, adding info@digital-data.de to the email list  
2009-03-13: Vendor (digital-data.de) reply  
2009-03-17: Sending vendor (digital-data.de) detailed security advisory  
with proposed disclosure/release date  
2009-03-23: Asking vendor (digital-data.de) whether they have verified the  
vulnerability  
2009-03-23: Digital-data.de replies that the advisory information has been  
sent to LevelOne who have not anwsered yet   
2009-04-15: Asked the contact at digital-data.de about the status and told  
again that the advisory will be published on 2009-04-29 as   
mentioned in the email from 2009-03-23 (according to disclosure  
policy).  
2009-04-15: Received out-of-office reply until 2009-04-17, no answer  
2009-04-27: Sent another reminder email with disclosure date info, received  
out-of-office until 2009-04-28 again, no answer  
2009-04-29: Public disclosure  
  
  
Solution:  
---------  
No vendor solution available, see workaround section.  
  
  
Workaround:  
-----------  
Reduce the attack surface, don't use the (private) LAN ports where users don't  
need authentication and only use the "private LAN" management port on demand  
(e.g. remove the cable or disable the port on the switch where the AMG-2000 is  
attached) so an attacker isn't able to access the internal network.  
  
Use strong passwords for the administration interface and remove all default  
accounts/passwords. Keep in mind that access to the admin interface/brute force  
attacks are still possible due to the proxy vulnerability!  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/advisories_e.html#a53  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
SEC Consult conducts periodical information security workshops on ISO   
27001/BS 7799 in cooperation with BSI Management Systems. For more   
information, please refer to https://www.sec-consult.com/academy_e.html  
  
EOF J. Greil / @2009  
`