Proxy bypass vulnerability & plain text passwords

SEC Consult Security Advisory < 20090429-0 >

=======================================================================

title: Proxy bypass vulnerability & plain text passwords

in LevelOne AMG-2000

product: LevelOne AMG-2000 Wireless AP Management Gateway

vulnerable version: Firmware <=2.00.00build00600

impact: critical

homepage: www.level1.com

found: 2008-12-16

by: J. Greil / SEC Consult / www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"LevelOne was established in 1991 in Dortmund, Germany by Digital Data

Communications GmbH. By providing quality networking products and solutions,

we've grown steadily throughout the years with Branch Offices in 20 countries

around the world."

 

"AMG-2000 is an AP Management Gateway dedicatedly designed for small to

medium-sized network deployment and management, making it an ideal solution

for easily creating and extending WLANs in SMB offices. With its user

management features, administrators will be able to manage the whole process

of wireless network access. In addition, Access Point (AP) management

functions allow administrators to discover, configure, update, and monitor all

managed APs from a single secured interface, and from there, gain full control

of entire wireless network."

 

 

Sources: global.level1.com/aboutus.php

& AMG-2000 Manual v2.0, Jun-13-2007

 

 

Vulnerability overview:

-----------------------

AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN

or Internet, e.g. by supplying a username/password on the portal site (depends

on how the system is configured, e.g. on-demand "guest" users or

authentication via RADIUS, LDAP or NT domain). This built-in proxy is

misconfigured which leads to the following vulnerability:

 

1) An _authenticated_ WLAN guest user/attacker is able to access the

restricted administration interface of the AMG-2000 with specially crafted

HTTP requests. Furthermore an attacker is able to access the internal company

network over the wireless network!

 

 

2) The administration interface shows the passwords of all locally configured

users (e.g. on-demand/guest users) and other sensitive settings in plain text.

 

 

Vulnerability description:

--------------------------

1) An attacker is able to access the administration interface from the WLAN by

manipulating the "Host:" header and Request-URI in the HTTP GET request to the

proxy server running on the AMG-2000. It is possible to specify arbitrary IP

addresses (such as 127.0.0.1 or IPs from the internal network of the

management "private LAN" port) which an attacker is then able to access. The

squid proxy runs on port 2128 by default on the AMG-2000.

 

 

2) All passwords from local user accounts, such as on-demand guest users, are

shown in plain text in the admin interface (e.g. also see manual screenshots).

An attacker may gain access to the interface through weak default passwords

that have been forgotten to be changed.

 

The configured users are e.g. accessible/manageable via the default system

accounts "operator" (pw: operator, on-demand users only) or "manager" (pw:

manager, access to the whole user authentication area), hence an attacker

doesn't necessarily need the admin password.

 

An attacker may exploit those accounts to gain further access to the system

and surf on the Internet on behalf of other users (e.g. ones without a time

restriction) or create arbitrary WLAN users for later access.

 

 

Proof of concept:

-----------------

1)

* Example IP address of the AMG-2000 gateway: 192.168.0.1

* E.g. use a local proxy such as burp to manipulate the request of the browser

to the gateway or write your own scripts.

 

a) HTTP request to access the administration interface login page from the

WLAN:

=================================
GET http:// 127.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]
=================================

 

b) HTTP request to login to the admin interface with the user "manager":

=================================
POST http:// 127.0.0.1/check.shtml HTTP/1.1
Host: 192.168.0.1:2128
[...]

username=manager&password=manager&Submit=ENTER
=================================

 

c) HTTP request to access other internal IP addresses configured on the

private LAN port:

=================================
GET http:// 10.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]
=================================

 

 

2) Just try the default accounts (operator, manager) to access all passwords

of all other local users.

 

 

Vulnerable versions:

--------------------

The firmware versions

* v2.00.00build00600 (latest available)

* v1.01.01

have been tested and they are vulnerable. It is assumed that all other

versions are vulnerable too.

 

 

Vendor contact timeline:

------------------------

2009-03-03: Asking support@ and security@level-one.de for a security contact,

attaching the SEC Consult responsible disclosure document.

I didn't find any reference to the security@ email address, it

seems that it is not being used.

global.level1.com/contactus.php

www.level-one.de/impressum.php

2009-03-10: Asking again, adding info@digital-data.de to the email list

2009-03-13: Vendor (digital-data.de) reply

2009-03-17: Sending vendor (digital-data.de) detailed security advisory

with proposed disclosure/release date

2009-03-23: Asking vendor (digital-data.de) whether they have verified the

vulnerability

2009-03-23: Digital-data.de replies that the advisory information has been

sent to LevelOne who have not anwsered yet

2009-04-15: Asked the contact at digital-data.de about the status and told

again that the advisory will be published on 2009-04-29 as

mentioned in the email from 2009-03-23 (according to disclosure

policy).

2009-04-15: Received out-of-office reply until 2009-04-17, no answer

2009-04-27: Sent another reminder email with disclosure date info, received

out-of-office until 2009-04-28 again, no answer

2009-04-29: Public disclosure

 

 

Solution:

---------

No vendor solution available, see workaround section.

 

 

Workaround:

-----------

Reduce the attack surface, don't use the (private) LAN ports where users don't

need authentication and only use the "private LAN" management port on demand

(e.g. remove the cable or disable the port on the switch where the AMG-2000 is

attached) so an attacker isn't able to access the internal network.

 

Use strong passwords for the administration interface and remove all default

accounts/passwords. Keep in mind that access to the admin interface/brute force

attacks are still possible due to the proxy vulnerability!

 

 

Advisory URL:

-------------

www.sec-consult.com/advisories_e.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems. For more

information, please refer to www.sec-consult.com/academy_e.html

 

EOF J. Greil / @2009