Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SECURITY RISK: ZyXEL ADSL Router 642R - WAN filter bypass from internal network

From: Kistler Ueli <iuk () gmx ch>
Date: Tue, 18 Sep 2001 11:39:33 +0200
ZyXEL ADSL Router 642R - WAN filter bypass from internal network
Risk: medium>low
Detected: Monday, 17. September 2001
By: Ueli Kistler
Attached: Security risk discussion (Zyxel wan filter bypass from internal network.txt) 

-------

Affected:

- ZyXEL 642R ADSL Router: ZyNOS Firmware Version 2.50(AJ.4, 7.3.2001)
- possibly: Broadband ZyXEL 600 Series
- possibly other ZyXEL ADSL routers (based on ZyNOS)

Not affected:

- unknown
- possibly other vendors routers

-------

Summary:

Risk: medium>low
An attacker can get unauthorized access to the routers administration interface from internal network. 
     The attacker needs the password to login.
ZyXEL's ADSL Router 642R can block specific packets from Internet and LAN with ZyNOS filter sets. Using a filter set for Telnet/FTP can block access to the routers administration inferface, 
firmware file, configuration file (where the password is located).
ZyNOS v.2.50(AJ.4) blocks by default every access from WAN to Telnet/FTP administration interfaces. 
LAN access is granted by default to configure the router.
The router has a default password, which can be found in the routers manual.
642R routers use all the same password by default. If an attacker can get access to an administrator interface and login, he has full control over the routers configuration and can get access to the 
users login informations (password, access point).
He would also be able to upload another firmware with FTP (User: root).
In a standard network with 1 hub/switch and different computers and the ADSL router connected to the switch, an 
attack is easy (default password / brute-force attack e.x.).
- The Attacker can connect to the routers administration interface (Telnet/FTP) 
- He needs the password (default password/brute-forced) to login
To prevent a connection, the administrator of the router can set up a filter set on the LAN NIC of the router. This filter set blocks access from internal hosts to the routers telnet/ftp port. ZyNOS AJ.4 has already a filter set, which prevents access from WAN to the administration interfaces. 

Another possibilty:
A 2 NIC firewall between the internal network and the external network can block access to the routers 
INTERNAL network IP.

Is the router secure now? No.
ZyXELs 642R ADSL routers and most likely others of Broadband 600 series have a security problem in ZyNOS packet filter, which allows access from internal network using the WAN IP address of the router. 

In ZyNOS AJ.4 every WAN host is blocked by default.
The filter #6 blocks FTP, Telnet and HTTP access from WAN:

¦¦¦¦¦¦¦¦¦¦¦¦¦
1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21     N D N
2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23     N D N
3 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80     N D N
4 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69    N D N
¦¦¦¦¦¦¦¦¦¦¦¦¦
This filter set is activated by default in Remote node profile->Edit Filter sets(yes)->Input filters->Protocol filters.
It should block access from internal network to the router's WAN IP address, because internal network 
is also 0.0.0.0 (every host).

This filter set is "bypassed".

-------

Details:

Whats exactly the problem?
The problem is, that every user with restricted access to the administration interface (from LAN and Internet), can nevertheless have access to the routers administration interface (Telnet/FTP)!
Instead of using the LAN IP of the router, the attacker uses the WAN IP of the router to establish the connection. The filter sets of ZyXELs 642R router (LAN and INTERNET) doesn't block the access! 
It seems not to be against ZyNOS packet filter rules.
"But i could set up another filter...": yes, but it's not very interesting if you haven't a static IP address. Most ADSL users have dynamic IP addresses and most will not set up every time a new rule for their new Internet IP address. You cannot deny every access to external hosts for single ports (Telnet/FTP): this would not only block administration interface access, but also other FTP/Telnet connections to hosts in the Internet. 

-------

Problem:
ZyNOS does block by device: LAN traffic is blocked by the internal NIC, WAN traffic by the external ADSL device. The WAN filter doesn't block access from internal network to the router's WAN IP, because no filter set is activated, which 
blocks WAN IP's on the LAN device.
Some ADSL providers do disconnect after # minutes/hours. The administrator would have to block every time the new WAN IP of 
the router on the LAN device.

-------

Solutions:

not available (17. September 2001, 21:56 GMT+1):
- firmware update: the router's firmware must be updated
 - correction: packet filter
- additional security specific corrections: ability to disable Telnet and FTP administration interfaces. 
   The 642R ADSL router can already be configured, using RFC211
------- 

Workarounds:

These are possible workarounds:
- ADSL router configuration:
- activate a filter set, every time you connect to the Internet: LAN device must block WAN IP address of the router. 


- on a 2 NIC firewall:
- use a proxy for connections (no routing from internal to external network): this prevents access from internal network. 

-------

Reference: -

-------

About me:
I'm a student in Switzerland (19 old, 4. September 2001). I'm interested in security, that's all. I've written a little prog: IDScenter. It's a GUI for Snort, which can send alert mails etc... Currently IDScenter 1.09 BETA can parse Snort log files and block access using BlackICE firewall. 

-------

Cheers,
Ueli Kistler (iuk () gmx ch, www.eclipse.fr.fm)
Switzerland

ZyXEL ADSL Router 642R - WAN filter bypass from internal network
Risk: medium
Detected: Monday, 17. September 2001
By: Ueli Kistler

-------

Affected:

 - ZyXEL 642R ADSL Router: ZyNOS Firmware Version 2.50(AJ.4, 7.3.2001)
 - possibly: Broadband ZyXEL 600 Series
 - possibly other ZyXEL ADSL routers (based on ZyNOS)

Not affected:

 - unknown
 - possibly other vendors routers

-------

Summary:

Risk: medium
      An attacker can get unauthorized access to the routers administration interface from internal network.
      The attacker needs the password to login.

ZyXEL's ADSL Router 642R can block specific packets from Internet and LAN with ZyNOS filter sets.
Using a filter set for Telnet/FTP can block access to the routers administration inferface, 
firmware file, configuration file (where the password is located).

ZyNOS v.2.50(AJ.4) blocks by default every access from WAN to Telnet/FTP administration interfaces.
LAN access is granted by default to configure the router.
The router has a default password, which can be found in the routers manual.

642R routers use all the same password by default. If an attacker can get access to an administrator
interface and login, he has full control over the routers configuration and can get access to the
users login informations (password, access point). 
He would also be able to upload another firmware with FTP (User: root).

In a standard network with 1 hub/switch and different computers and the ADSL router connected to the switch, an
attack is easy (default password / brute-force attack e.x.).
 - The Attacker can connect to the routers administration interface (Telnet/FTP)
 - He needs the password (default password/brute-forced) to login

To prevent a connection, the administrator of the router can set up a filter set on the LAN NIC of the router.
This filter set blocks access from internal hosts to the routers telnet/ftp port.
ZyNOS AJ.4 has already a filter set, which prevents access from WAN to the administration interfaces.

Another possibilty: 
A 2 NIC firewall between the internal network and the external network can block access to the routers
INTERNAL network IP.

Is the router secure now? No.

ZyXELs 642R ADSL routers and most likely others of Broadband 600 series have a security problem in 
ZyNOS packet filter, which allows access from internal network using the WAN IP address of the router.

In ZyNOS AJ.4 every WAN host is blocked by default.
The filter #6 blocks FTP, Telnet and HTTP access from WAN:

¦¦¦¦¦¦¦¦¦¦¦¦¦
1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21     N D N
2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23     N D N
3 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80     N D N
4 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69    N D N
¦¦¦¦¦¦¦¦¦¦¦¦¦

This filter set is activated by default in Remote node profile->Edit Filter sets(yes)->Input filters->Protocol filters.

It should block access from internal network to the router's WAN IP address, because internal network
is also 0.0.0.0 (every host).

This filter set is "bypassed".

-------

Details:

Whats exactly the problem?
The problem is, that every user with restricted access to the administration interface (from LAN and Internet), 
can nevertheless have access to the routers administration interface (Telnet/FTP)!

Instead of using the LAN IP of the router, the attacker uses the WAN IP of the router to establish the connection.
The filter sets of ZyXELs 642R router (LAN and INTERNET) doesn't block the access!
It seems not to be against ZyNOS packet filter rules. 

"But i could set up another filter...": yes, but it's not very interesting if you haven't a static IP address.
Most ADSL users have dynamic IP addresses and most will not set up every time a new rule for their new Internet IP 
address.
You cannot deny every access to external hosts for single ports (Telnet/FTP): this would not only block administration
interface access, but also other FTP/Telnet connections to hosts in the Internet.

-------

Problem: 

ZyNOS does block by device: LAN traffic is blocked by the internal NIC, WAN traffic by the external ADSL device.
The WAN filter doesn't block access from internal network to the router's WAN IP, because no filter set is activated, 
which
blocks WAN IP's on the LAN device.
Some ADSL providers do disconnect after # minutes/hours. The administrator would have to block every time the new WAN 
IP of
the router on the LAN device.

-------

Solutions: 

not available (17. September 2001, 21:56 GMT+1):
 - firmware update: the router's firmware must be updated
  - correction: packet filter
  - additional security specific corrections: ability to disable Telnet and FTP administration interfaces.
    The 642R ADSL router can already be configured, using RFC211
    
-------

Workarounds:

These are possible workarounds:
 - ADSL router configuration:
  - activate a filter set, every time you connect to the Internet: LAN device must block WAN IP address of the router.


 - on a 2 NIC firewall:
  - use a proxy for connections (no routing from internal to external network): this prevents access from internal 
network.

-------
 
Reference: -

-------

About me: 

I'm a student in Switzerland (19 old, 4. September 2001). I'm interested in security, that's all.
I've written a little prog: IDScenter. It's a GUI for Snort, which can send alert mails etc...
Currently IDScenter 1.09 BETA can parse Snort log files and block access using BlackICE firewall.

-------

Cheers,
 Ueli Kistler (iuk () gmx ch, www.eclipse.fr.fm)
 Switzerland
Previous By Date Next
Previous By Thread Next

Current thread: