ZyWALL USG Appliance Access Bypass



EKU-ID: 147 CVE: OSVDB-ID:
Author: RedTeam Published: 2011-05-05 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web
          Interface

The ZyXEL ZyWALL USG appliances perform parts of the authorization for
their management web interface on the client side using JavaScript. By
setting the JavaScript variable "isAdmin" to "true", a user with limited
access gets full access to the web interface.


Details
=======

Product: ZyXEL USG (Unified Security Gateway) appliances
         ZyWALL USG-20
         ZyWALL USG-20W
         ZyWALL USG-50
         ZyWALL USG-100
         ZyWALL USG-200
         ZyWALL USG-300
         ZyWALL USG-1000
         ZyWALL USG-1050
         ZyWALL USG-2000
         Possibly other ZLD-based products
Affected Versions: Firmware Releases before April 25, 2011
Fixed Versions: Firmware  Releases from or after April 25, 2011
Vulnerability Type: Client Side Authorization
Security Risk: medium
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

``The ZyWALL USG (Unified Security Gateway) Series is the "third
generation" ZyWALL featuring an all-new platform. It provides greater
performance protection, as well as a deep packet inspection security
solution for small businesses to enterprises alike. It embodies a
Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion
Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN
(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your
organization's customer and company records, intellectual property, and
critical resources from external and internal threats.''

(From the vendor's homepage)


More Details
============

Users with the role "limited-admin" are allowed to log into the
web-based administrative interface and configure some aspects of a
ZyWALL USG appliance.  It is usually not possible to download the current
configuration file, as this includes the password-hashes of all users.
When the "download" button in the File Manager part of the web interface
is pressed, a JavaScript dialogue window informs the user that this
operation is not allowed.  However, setting the JavaScript variable
"isAdmin" to "true" (e.g. by using the JavaScript console of the
"Firebug" extension for the Firefox web browser) disables this check and
lets the user download the desired configuration file.  It is also
possible to directly open the URL that downloads the configuration file.
The appliances do not check the users' permissions on the server side.


Proof of Concept
================

After logging into the web interface, set the local JavaScript variable
"isAdmin" to "true" and use the File Manager to download configuration
files.  Alternatively, the current configuration file (including the
password hashes) can also be downloaded directly by accessing the
following URL:

  https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf


Workaround
==========

If possible, disable the web-based administrative interface or ensure
otherwise that the interface is not exposed to attackers.


Fix
===

Upgrade to a firmware released on or after April 25, 2011.


Security Risk
=============

This vulnerability enables users of the role "limited-admin" to access
configuration files with potentially sensitive information (like the
password hashes of all other users).  The risk of this vulnerability is
estimated as medium.


History
=======

2011-03-07 Vulnerability identified
2011-04-06 Customer approved disclosure to vendor
2011-04-07 Vendor notified
2011-04-08 Meeting with vendor
2011-04-15 Vulnerability fixed by vendor
2011-04-18 Test appliance and beta firmware supplied to
           RedTeam Pentesting, fix verified
2011-04-25 Vendor released new firmwares with fix
2011-04-29 Vendor confirms that other ZLD-based devices may also be
           affected
2011-05-04 Advisory released

RedTeam Pentesting likes to thank ZyXEL for the fast response and
professional collaboration.


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Gesch�ftsf�hrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck