Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Client Side Authorization ZyXEL ZyWALL USG Appliances Web Interface

The ZyXEL ZyWALL USG appliances perform parts of the authorization for their management web interface on the client side using JavaScript. By setting the JavaScript variable “isAdmin” to “true”, a user with limited access gets full access to the web interface.

Details

  • Product: ZyXEL USG (Unified Security Gateway) appliances
    • ZyWALL USG-20
    • ZyWALL USG-20W
    • ZyWALL USG-50
    • ZyWALL USG-100
    • ZyWALL USG-200
    • ZyWALL USG-300
    • ZyWALL USG-1000
    • ZyWALL USG-1050
    • ZyWALL USG-2000
    • Possibly other ZLD-based products
  • Affected Versions: Firmware Releases before April 25, 2011
  • Fixed Versions: Firmware Releases from or after April 25, 2011
  • Vulnerability Type: Client Side Authorization
  • Security Risk: medium
  • Vendor URL: http://www.zyxel.com/
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2011-004
  • Advisory Status: published
  • CVE: GENERIC-MAP-NOMATCH
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction

``The ZyWALL USG (Unified Security Gateway) Series is the “third generation” ZyWALL featuring an all-new platform. It provides greater performance protection, as well as a deep packet inspection security solution for small businesses to enterprises alike. It embodies a Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN (IPSec/SSL/L2TP) in one box. This multilayered security safeguards your organization’s customer and company records, intellectual property, and critical resources from external and internal threats.''

(From the vendor’s homepage)

More Details

Users with the role “limited-admin” are allowed to log into the web-based administrative interface and configure some aspects of a ZyWALL USG appliance. It is usually not possible to download the current configuration file, as this includes the password-hashes of all users. When the “download” button in the File Manager part of the web interface is pressed, a JavaScript dialogue window informs the user that this operation is not allowed. However, setting the JavaScript variable “isAdmin” to “true” (e.g. by using the JavaScript console of the “Firebug” extension for the Firefox web browser) disables this check and lets the user download the desired configuration file. It is also possible to directly open the URL that downloads the configuration file. The appliances do not check the users’ permissions on the server side.

Proof of Concept

After logging into the web interface, set the local JavaScript variable “isAdmin” to “true” and use the File Manager to download configuration files. Alternatively, the current configuration file (including the password hashes) can also be downloaded directly by accessing the following URL:

https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf

Workaround

If possible, disable the web-based administrative interface or ensure otherwise that the interface is not exposed to attackers.

Fix

Upgrade to a firmware released on or after April 25, 2011.

Security Risk

This vulnerability enables users of the role “limited-admin” to access configuration files with potentially sensitive information (like the password hashes of all other users). The risk of this vulnerability is estimated as medium.

History

  • 2011-03-07 Vulnerability identified
  • 2011-04-06 Customer approved disclosure to vendor
  • 2011-04-07 Vendor notified
  • 2011-04-08 Meeting with vendor
  • 2011-04-15 Vulnerability fixed by vendor
  • 2011-04-18 Test appliance and beta firmware supplied to
    RedTeam Pentesting, fix verified
  • 2011-04-25 Vendor released new firmwares with fix
  • 2011-04-29 Vendor confirms that other ZLD-based devices may also be
    affected
  • 2011-05-04 Advisory released

RedTeam Pentesting likes to thank ZyXEL for the fast response and professional collaboration.

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.