SECURITY RISK: ZyXEL ADSL Router 642R - WAN filter bypass from internal network

[Kistler Ueli <iuk@gmx.ch>]

ZyXEL ADSL Router 642R - WAN filter bypass from internal network
Risk: medium>low
Detected: Monday, 17. September 2001
By: Ueli Kistler

Attached: Security risk discussion (Zyxel wan filter bypass from 
internal network.txt)

-------

Affected:

 - ZyXEL 642R ADSL Router: ZyNOS Firmware Version 2.50(AJ.4, 7.3.2001)
 - possibly: Broadband ZyXEL 600 Series
 - possibly other ZyXEL ADSL routers (based on ZyNOS)

Not affected:

 - unknown
 - possibly other vendors routers

-------

Summary:

Risk: medium>low
      An attacker can get unauthorized access to the routers 
administration interface from internal network.
      The attacker needs the password to login.

ZyXEL's ADSL Router 642R can block specific packets from Internet and 
LAN with ZyNOS filter sets.
Using a filter set for Telnet/FTP can block access to the routers 
administration inferface,
firmware file, configuration file (where the password is located).

ZyNOS v.2.50(AJ.4) blocks by default every access from WAN to Telnet/FTP 
administration interfaces.
LAN access is granted by default to configure the router.
The router has a default password, which can be found in the routers manual.

642R routers use all the same password by default. If an attacker can 
get access to an administrator
interface and login, he has full control over the routers configuration 
and can get access to the
users login informations (password, access point).
He would also be able to upload another firmware with FTP (User: root).

In a standard network with 1 hub/switch and different computers and the 
ADSL router connected to the switch, an
attack is easy (default password / brute-force attack e.x.).
 - The Attacker can connect to the routers administration interface 
(Telnet/FTP)
 - He needs the password (default password/brute-forced) to login

To prevent a connection, the administrator of the router can set up a 
filter set on the LAN NIC of the router.
This filter set blocks access from internal hosts to the routers 
telnet/ftp port.
ZyNOS AJ.4 has already a filter set, which prevents access from WAN to 
the administration interfaces.

Another possibilty:
A 2 NIC firewall between the internal network and the external network 
can block access to the routers
INTERNAL network IP.

Is the router secure now? No.

ZyXELs 642R ADSL routers and most likely others of Broadband 600 series 
have a security problem in
ZyNOS packet filter, which allows access from internal network using the 
WAN IP address of the router.

In ZyNOS AJ.4 every WAN host is blocked by default.
The filter #6 blocks FTP, Telnet and HTTP access from WAN:

¦¦¦¦¦¦¦¦¦¦¦¦¦
1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21     N D N
2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23     N D N
3 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80     N D N
4 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69    N D N
¦¦¦¦¦¦¦¦¦¦¦¦¦

This filter set is activated by default in Remote node profile->Edit 
Filter sets(yes)->Input filters->Protocol filters.

It should block access from internal network to the router's WAN IP 
address, because internal network
is also 0.0.0.0 (every host).

This filter set is "bypassed".

-------

Details:

Whats exactly the problem?
The problem is, that every user with restricted access to the 
administration interface (from LAN and Internet),
can nevertheless have access to the routers administration interface 
(Telnet/FTP)!

Instead of using the LAN IP of the router, the attacker uses the WAN IP 
of the router to establish the connection.
The filter sets of ZyXELs 642R router (LAN and INTERNET) doesn't block 
the access!
It seems not to be against ZyNOS packet filter rules.

"But i could set up another filter...": yes, but it's not very 
interesting if you haven't a static IP address.
Most ADSL users have dynamic IP addresses and most will not set up every 
time a new rule for their new Internet IP address.
You cannot deny every access to external hosts for single ports 
(Telnet/FTP): this would not only block administration
interface access, but also other FTP/Telnet connections to hosts in the 
Internet.

-------

Problem:

ZyNOS does block by device: LAN traffic is blocked by the internal NIC, 
WAN traffic by the external ADSL device.
The WAN filter doesn't block access from internal network to the 
router's WAN IP, because no filter set is activated, which
blocks WAN IP's on the LAN device.
Some ADSL providers do disconnect after # minutes/hours. The 
administrator would have to block every time the new WAN IP of
the router on the LAN device.

-------

Solutions:

not available (17. September 2001, 21:56 GMT+1):
 - firmware update: the router's firmware must be updated
  - correction: packet filter
  - additional security specific corrections: ability to disable Telnet 
and FTP administration interfaces.
    The 642R ADSL router can already be configured, using RFC211
    
-------

Workarounds:

These are possible workarounds:
 - ADSL router configuration:
  - activate a filter set, every time you connect to the Internet: LAN 
device must block WAN IP address of the router.


 - on a 2 NIC firewall:
  - use a proxy for connections (no routing from internal to external 
network): this prevents access from internal network.

-------
 
Reference: -

-------

About me:

I'm a student in Switzerland (19 old, 4. September 2001). I'm interested 
in security, that's all.
I've written a little prog: IDScenter. It's a GUI for Snort, which can 
send alert mails etc...
Currently IDScenter 1.09 BETA can parse Snort log files and block access 
using BlackICE firewall.

-------

Cheers,
 Ueli Kistler (iuk@gmx.ch, www.eclipse.fr.fm)
 Switzerland
ZyXEL ADSL Router 642R - WAN filter bypass from internal network
Risk: medium
Detected: Monday, 17. September 2001
By: Ueli Kistler

-------

Affected:

 - ZyXEL 642R ADSL Router: ZyNOS Firmware Version 2.50(AJ.4, 7.3.2001)
 - possibly: Broadband ZyXEL 600 Series
 - possibly other ZyXEL ADSL routers (based on ZyNOS)

Not affected:

 - unknown
 - possibly other vendors routers

-------

Summary:

Risk: medium
      An attacker can get unauthorized access to the routers administration interface from internal network.
      The attacker needs the password to login.

ZyXEL's ADSL Router 642R can block specific packets from Internet and LAN with ZyNOS filter sets.
Using a filter set for Telnet/FTP can block access to the routers administration inferface, 
firmware file, configuration file (where the password is located).

ZyNOS v.2.50(AJ.4) blocks by default every access from WAN to Telnet/FTP administration interfaces.
LAN access is granted by default to configure the router.
The router has a default password, which can be found in the routers manual.

642R routers use all the same password by default. If an attacker can get access to an administrator
interface and login, he has full control over the routers configuration and can get access to the
users login informations (password, access point). 
He would also be able to upload another firmware with FTP (User: root).

In a standard network with 1 hub/switch and different computers and the ADSL router connected to the switch, an
attack is easy (default password / brute-force attack e.x.).
 - The Attacker can connect to the routers administration interface (Telnet/FTP)
 - He needs the password (default password/brute-forced) to login

To prevent a connection, the administrator of the router can set up a filter set on the LAN NIC of the router.
This filter set blocks access from internal hosts to the routers telnet/ftp port.
ZyNOS AJ.4 has already a filter set, which prevents access from WAN to the administration interfaces.

Another possibilty: 
A 2 NIC firewall between the internal network and the external network can block access to the routers
INTERNAL network IP.

Is the router secure now? No.

ZyXELs 642R ADSL routers and most likely others of Broadband 600 series have a security problem in 
ZyNOS packet filter, which allows access from internal network using the WAN IP address of the router.

In ZyNOS AJ.4 every WAN host is blocked by default.
The filter #6 blocks FTP, Telnet and HTTP access from WAN:

¦¦¦¦¦¦¦¦¦¦¦¦¦
1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21     N D N
2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23     N D N
3 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80     N D N
4 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69    N D N
¦¦¦¦¦¦¦¦¦¦¦¦¦

This filter set is activated by default in Remote node profile->Edit Filter sets(yes)->Input filters->Protocol filters.

It should block access from internal network to the router's WAN IP address, because internal network
is also 0.0.0.0 (every host).

This filter set is "bypassed".

-------

Details:

Whats exactly the problem?
The problem is, that every user with restricted access to the administration interface (from LAN and Internet), 
can nevertheless have access to the routers administration interface (Telnet/FTP)!

Instead of using the LAN IP of the router, the attacker uses the WAN IP of the router to establish the connection.
The filter sets of ZyXELs 642R router (LAN and INTERNET) doesn't block the access!
It seems not to be against ZyNOS packet filter rules. 

"But i could set up another filter...": yes, but it's not very interesting if you haven't a static IP address.
Most ADSL users have dynamic IP addresses and most will not set up every time a new rule for their new Internet IP address.
You cannot deny every access to external hosts for single ports (Telnet/FTP): this would not only block administration
interface access, but also other FTP/Telnet connections to hosts in the Internet.

-------

Problem: 

ZyNOS does block by device: LAN traffic is blocked by the internal NIC, WAN traffic by the external ADSL device.
The WAN filter doesn't block access from internal network to the router's WAN IP, because no filter set is activated, which
blocks WAN IP's on the LAN device.
Some ADSL providers do disconnect after # minutes/hours. The administrator would have to block every time the new WAN IP of
the router on the LAN device.

-------

Solutions: 

not available (17. September 2001, 21:56 GMT+1):
 - firmware update: the router's firmware must be updated
  - correction: packet filter
  - additional security specific corrections: ability to disable Telnet and FTP administration interfaces.
    The 642R ADSL router can already be configured, using RFC211
    
-------

Workarounds:

These are possible workarounds:
 - ADSL router configuration:
  - activate a filter set, every time you connect to the Internet: LAN device must block WAN IP address of the router.


 - on a 2 NIC firewall:
  - use a proxy for connections (no routing from internal to external network): this prevents access from internal network.

-------
 
Reference: -

-------

About me: 

I'm a student in Switzerland (19 old, 4. September 2001). I'm interested in security, that's all.
I've written a little prog: IDScenter. It's a GUI for Snort, which can send alert mails etc...
Currently IDScenter 1.09 BETA can parse Snort log files and block access using BlackICE firewall.

-------

Cheers,
 Ueli Kistler (iuk@gmx.ch, www.eclipse.fr.fm)
 Switzerland