扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 |
Advisory: Authentication Bypass in Configuration Import and Export of ZyXEL ZyWALL USG Appliances Unauthenticated users with access to the management web interface of certain ZyXEL ZyWALL USG appliances can download and upload configuration files, that are applied automatically. Details ======= Product: ZyXEL USG (Unified Security Gateway) appliances ZyWALL USG-20 ZyWALL USG-20W ZyWALL USG-50 ZyWALL USG-100 ZyWALL USG-200 ZyWALL USG-300 ZyWALL USG-1000 ZyWALL USG-1050 ZyWALL USG-2000 Possibly other ZLD-based products Affected Versions: Firmware Releases before April 25, 2011 Fixed Versions: Firmware Releases from or after April 25, 2011 Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: http://www.zyxel.com/ Vendor Status: fixed version released Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ </code>The ZyWALL USG (Unified Security Gateway) Series is the "third generation" ZyWALL featuring an all-new platform. It provides greater performance protection, as well as a deep packet inspection security solution for small businesses to enterprises alike. It embodies a Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN (IPSec/SSL/L2TP) in one box. This multilayered security safeguards your organization's customer and company records, intellectual property, and critical resources from external and internal threats.'' (From the vendor's homepage) More Details ============ During a penetration test, a ZyXEL ZyWALL USG appliance was found and tested for security vulnerabilities.The following sections first describe, how the appliance's filesystem can be extracted from the encrypted firmware upgrade zip files.Afterwards it is shown, how arbitrary configuration files can be up- and downloaded from the appliance.This way, a custom user account with a chosen password can be added to the running appliance without the need of a reboot. Decrypting the ZyWALL Firmware Upgrade Files -------------------------------------------- Firmware upgrade files for ZyXEL ZyWALL USG appliances consist of a regularly compressed zip file, which contains, among others, two encrypted zip files with the main firmware.For example, the current firmware version 2.21(BQD.2) for the ZyWALL USG 20 ("ZyWALL USG 20_2.21(BDQ.2)C0.zip") contains the following files: -rw-r--r-- 1 user user 43116374 Sep 302010 221BDQ2C0.bin -rw-r--r-- 1 user user 7354 Sep 302010 221BDQ2C0.conf -rw-r--r-- 1 user user28395 Sep 302010 221BDQ2C0.db -rw-r--r-- 1 user user 703402 Oct 12 17:48 221BDQ2C0.pdf -rw-r--r-- 1 user user3441664 Sep 302010 221BDQ2C0.ri -rw-r--r-- 1 user user231 Sep 302010 firmware.xml The files 221BDQ2C0.bin and 221BDQ2C0.db are encrypted zip files that require a password for decompression.Listing the contents is possible: $ unzip -l 221BDQ2C0.bin Archive:221BDQ2C0.bin LengthDateTimeName ------------------- ----- ---- 400752642010-09-15 06:32 compress.img 02010-09-30 04:48 db/ 02010-09-30 04:48 db/etc/ 02010-09-30 04:48 db/etc/zyxel/ 02010-09-30 04:48 db/etc/zyxel/ftp/ 02010-09-30 04:48 db/etc/zyxel/ftp/conf/ 202010-09-14 14:46 db/etc/zyxel/ftp/conf/htm-default.conf 73542010-09-14 14:46 db/etc/zyxel/ftp/conf/system-default.conf 02010-09-30 04:48 etc_writable/ 02010-09-30 04:48 etc_writable/budget/ 02010-09-14 15:08 etc_writable/budget/budget.conf 02010-09-15 06:28 etc_writable/firmware-upgraded 812010-09-14 15:09 etc_writable/myzyxel_info.conf 2432010-09-14 15:03 etc_writable/tr069ta.conf 02010-09-30 04:48 etc_writable/zyxel/ 02010-09-30 04:48 etc_writable/zyxel/conf/ 9962010-09-15 06:28 etc_writable/zyxel/conf/__eps_checking_default.xml 426972010-09-14 14:46 etc_writable/zyxel/conf/__system_default.xml 952010-09-30 04:48 filechecksum 10232010-09-30 04:48 filelist 3362010-09-30 04:48 fwversion 502010-09-15 06:34 kernelchecksum 34416642010-09-30 04:48 kernelusg20.bin 02010-09-14 14:46 wtp_image/ --------- ------- 43569823 24 files $ unzip -l 221BDQ2C0.db Archive:221BDQ2C0.db LengthDateTimeName ------------------- ----- ---- 02009-07-29 04:44 db_remove_lst 02010-09-15 06:28 etc/ 02010-09-15 06:35 etc/idp/ 392010-09-14 16:08 etc/idp/all.conf 252010-09-14 16:08 etc/idp/attributes.txt 6392010-09-14 16:08 etc/idp/attributes_self.txt 2772010-09-14 16:08 etc/idp/device.conf 392010-09-14 16:08 etc/idp/dmz.conf 392010-09-14 16:08 etc/idp/lan.conf 392010-09-14 16:08 etc/idp/none.conf 605812010-09-14 16:08 etc/idp/self.ref 51902010-09-14 16:08 etc/idp/self.rules 02010-09-14 16:08 etc/idp/update.ref 02010-09-14 16:08 etc/idp/update.rules 392010-09-14 16:08 etc/idp/wan.conf 4450752010-09-14 16:08 etc/idp/zyxel.ref 3272010-09-14 16:08 etc/idp/zyxel.rules 02010-09-14 16:05 etc/zyxel/ 02010-09-15 06:35 etc/zyxel/ftp/ 02010-09-15 06:35 etc/zyxel/ftp/.dha/ 02010-09-15 06:35 etc/zyxel/ftp/.dha/dha_idp/ 02010-09-15 06:35 etc/zyxel/ftp/cert/ 02010-09-15 06:35 etc/zyxel/ftp/cert/trusted/ 02010-09-15 06:35 etc/zyxel/ftp/conf/ 202010-09-14 14:46 etc/zyxel/ftp/conf/htm-default.conf 73542010-09-14 14:46 etc/zyxel/ftp/conf/system-default.conf 02010-09-15 06:35 etc/zyxel/ftp/dev/ 02010-09-15 06:35 etc/zyxel/ftp/idp/ 02010-09-15 06:35 etc/zyxel/ftp/packet_trace/ 02010-09-15 06:35 etc/zyxel/ftp/script/ 12562010-09-15 06:35 filelist --------- ------- 520939 31 files During a penetration test it was discovered that the file "221BDQ2C0.conf" (from the unencrypted firmware zip file) has exactly the same size as the file "system-default.conf" contained in each encrypted zip.This can be successfully used for a known-plaintext attack[1] against these files, afterwards the decrypted zip-files can be extracted.However, please note that this attack only allows decrypting the encrypted zip files, the password used for encrypting the files in the first place is not revealed. Among others, the following programs implement this attack: * PkCrack by Peter Conrad [2] * Elcomsoft Advanced Archive Password Recovery [3] Afterwards, the file "compress.img" from "221BDQ2C0.bin" can be decompressed (e.g. by using the program "unsquashfs"), revealing the filesystem for the appliance. Web-Interface Authentication Bypass ----------------------------------- ZyWALL USG appliances can be managed over a web-based administrative interface offered by an Apache http server.The interface requires authentication prior to any actions, only some static files can be requested without authentication. A custom Apache module "mod_auth_zyxel.so" implements the authentication, it is configured in etc/service_conf/httpd.conf in the firmware (see above). Several Patterns are configured with the directive "AuthZyxelSkipPattern", all URLs matching one of these patterns can be accessed without authentication: AuthZyxelSkipPattern /images/ /weblogin.cgi /I18N.js /language The administrative interface consists of several programs which are called as CGI scripts. For example, accessing the following URL after logging in with an admin account delivers the current startup configuration file: https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf The Apache httpd in the standard configuration allows appending arbitrary paths to CGI scripts. The server saves the extra path in the environment variable PATH_INFO and executes the CGI script (this can be disabled by setting "AcceptPathInfo" to "off"[4]). Therefore, appending the string "/images/" and requesting the following URL also executes the "export-cgi" script and outputs the current configuration file: https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf During the penetration test it was discovered that for this URL, no authentication is necessary (because the string "/images/" is included in the path-part of the URL) and arbitrary configuration files can be downloaded. The file "startup-config.conf" can contain sensitive data like firewall rules and hashes of user passwords. Other interesting config-file names are "lastgood.conf" and "systemdefault.conf". The administrative interface furthermore allows uploading of configuration files with the "file_upload-cgi" script.Applying the same trick (appending "/images/"), arbitrary configuration files can be uploaded without any authentication.When the chosen config-file name is set to "startup-config.conf", the appliance furthermore applies all settings directly after uploading.This can be used to add a second administrative user with a self-chosen password and take over the appliance. Proof of Concept ================ The current startup-config.conf file from a ZyWALL USG appliance can be downloaded by accessing the following URL, e.g. with the program cURL: $ curl --silent -o startup-config.conf \ "https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf" This file can be re-uploaded (e.g. after adding another administrative user) with the following command, the parameter "ext-comp-1121" may need to be adjusted: $ curl --silent -F ext-comp-1121=50 -F file_type=config -F nv=1 \ -F "file_path=@startup-config.conf;filename=startup-config.conf" \ https://192.168.0.1/cgi-bin/file_upload-cgi/images/ Workaround ========== If possible, disable the web-based administrative interface or else ensure that the interface is not exposed to attackers. Fix === Upgrade to a firmware released on or after April 25, 2011. Security Risk ============= Any attackers who are able to access the administrative interface of vulnerable ZyWALL USG appliances can read and write arbitrary configuration files, thus compromising the complete appliance.Therefore the risk is estimated as high. History ======= 2011-03-07 Vulnerability identified 2011-04-06 Customer approved disclosure to vendor 2011-04-07 Vendor notified 2011-04-07 First reactions of vendor, issue is being investigated 2011-04-08 Meeting with vendor 2011-04-15 Vulnerability fixed by vendor 2011-04-18 Test appliance and beta firmware supplied to RedTeam Pentesting, fix verified 2011-04-25 Vendor released new firmwares with fix 2011-04-29 Vendor confirms that other ZLD-based devices may also be affected 2011-05-04 Advisory released RedTeam Pentesting likes to thank ZyXEL for the fast response and professional collaboration. References ========== [1] ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz [2] http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html [3] http://www.elcomsoft.com/archpr.html [4] http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbHTel.: +49 241 963-1300 Dennewartstr. 25-27Fax : +49 241 963-1304 52068 Aachenhttp://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web Interface The ZyXEL ZyWALL USG appliances perform parts of the authorization for their management web interface on the client side using JavaScript. By setting the JavaScript variable "isAdmin" to "true", a user with limited access gets full access to the web interface. Details ======= Product: ZyXEL USG (Unified Security Gateway) appliances ZyWALL USG-20 ZyWALL USG-20W ZyWALL USG-50 ZyWALL USG-100 ZyWALL USG-200 ZyWALL USG-300 ZyWALL USG-1000 ZyWALL USG-1050 ZyWALL USG-2000 Possibly other ZLD-based products Affected Versions: Firmware Releases before April 25, 2011 Fixed Versions: FirmwareReleases from or after April 25, 2011 Vulnerability Type: Client Side Authorization Security Risk: medium Vendor URL: http://www.zyxel.com/ Vendor Status: fixed version released Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ </code>The ZyWALL USG (Unified Security Gateway) Series is the "third generation" ZyWALL featuring an all-new platform. It provides greater performance protection, as well as a deep packet inspection security solution for small businesses to enterprises alike. It embodies a Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN (IPSec/SSL/L2TP) in one box. This multilayered security safeguards your organization's customer and company records, intellectual property, and critical resources from external and internal threats.'' (From the vendor's homepage) More Details ============ Users with the role "limited-admin" are allowed to log into the web-based administrative interface and configure some aspects of a ZyWALL USG appliance.It is usually not possible to download the current configuration file, as this includes the password-hashes of all users. When the "download" button in the File Manager part of the web interface is pressed, a JavaScript dialogue window informs the user that this operation is not allowed.However, setting the JavaScript variable "isAdmin" to "true" (e.g. by using the JavaScript console of the "Firebug" extension for the Firefox web browser) disables this check and lets the user download the desired configuration file.It is also possible to directly open the URL that downloads the configuration file. The appliances do not check the users' permissions on the server side. Proof of Concept ================ After logging into the web interface, set the local JavaScript variable "isAdmin" to "true" and use the File Manager to download configuration files.Alternatively, the current configuration file (including the password hashes) can also be downloaded directly by accessing the following URL: https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf Workaround ========== If possible, disable the web-based administrative interface or ensure otherwise that the interface is not exposed to attackers. Fix === Upgrade to a firmware released on or after April 25, 2011. Security Risk ============= This vulnerability enables users of the role "limited-admin" to access configuration files with potentially sensitive information (like the password hashes of all other users).The risk of this vulnerability is estimated as medium. History ======= 2011-03-07 Vulnerability identified 2011-04-06 Customer approved disclosure to vendor 2011-04-07 Vendor notified 2011-04-08 Meeting with vendor 2011-04-15 Vulnerability fixed by vendor 2011-04-18 Test appliance and beta firmware supplied to RedTeam Pentesting, fix verified 2011-04-25 Vendor released new firmwares with fix 2011-04-29 Vendor confirms that other ZLD-based devices may also be affected 2011-05-04 Advisory released RedTeam Pentesting likes to thank ZyXEL for the fast response and professional collaboration. RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbHTel.: +49 241 963-1300 Dennewartstr. 25-27Fax : +49 241 963-1304 52068 Aachenhttp://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck |
体验盒子
