SEC Consult Security Advisory < 20090429-0 >
=======================================================================
              title: Proxy bypass vulnerability & plain text passwords
                     in LevelOne AMG-2000
            product: LevelOne AMG-2000 Wireless AP Management Gateway 
 vulnerable version: Firmware <=2.00.00build00600                     
             impact: critical
           homepage: http://www.level1.com
              found: 2008-12-16
                 by: J. Greil / SEC Consult / www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"LevelOne was established in 1991 in Dortmund, Germany by Digital Data
Communications GmbH. By providing quality networking products and solutions,
we've grown steadily throughout the years with Branch Offices in 20 countries
around the world."

"AMG-2000 is an AP Management Gateway dedicatedly designed for small to
medium-sized network deployment and management, making it an ideal solution
for easily creating and extending WLANs in SMB offices. With its user
management features, administrators will be able to manage the whole process
of wireless network access. In addition, Access Point (AP) management
functions allow administrators to discover, configure, update, and monitor all
managed APs from a single secured interface, and from there, gain full control
of entire wireless network."


Sources: http://global.level1.com/aboutus.php
& AMG-2000 Manual v2.0, Jun-13-2007


Vulnerability overview:
-----------------------
AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN
or Internet, e.g. by supplying a username/password on the portal site (depends
on how the system is configured, e.g. on-demand "guest" users or
authentication via RADIUS, LDAP or NT domain). This built-in proxy is
misconfigured which leads to the following vulnerability:

1) An _authenticated_ WLAN guest user/attacker is able to access the
restricted administration interface of the AMG-2000 with specially crafted
HTTP requests. Furthermore an attacker is able to access the internal company
network over the wireless network!


2) The administration interface shows the passwords of all locally configured
users (e.g. on-demand/guest users) and other sensitive settings in plain text. 


Vulnerability description:
--------------------------
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.


2) All passwords from local user accounts, such as on-demand guest users, are
shown in plain text in the admin interface (e.g. also see manual screenshots).
An attacker may gain access to the interface through weak default passwords
that have been forgotten to be changed.

The configured users are e.g. accessible/manageable via the default system
accounts "operator" (pw: operator, on-demand users only) or "manager" (pw:
manager, access to the whole user authentication area), hence an attacker
doesn't necessarily need the admin password.

An attacker may exploit those accounts to gain further access to the system
and surf on the Internet on behalf of other users (e.g. ones without a time
restriction) or create arbitrary WLAN users for later access.


Proof of concept:
-----------------
1)
* Example IP address of the AMG-2000 gateway: 192.168.0.1
* E.g. use a local proxy such as burp to manipulate the request of the browser
  to the gateway or write your own scripts.

a) HTTP request to access the administration interface login page from the
WLAN:
=================================
GET http://127.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]
=================================

b) HTTP request to login to the admin interface with the user "manager":
=================================
POST http://127.0.0.1/check.shtml HTTP/1.1
Host: 192.168.0.1:2128
[...]

username=manager&password=manager&Submit=ENTER
=================================

c) HTTP request to access other internal IP addresses configured on the
private LAN port:
=================================
GET http://10.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]
=================================


2) Just try the default accounts (operator, manager) to access all passwords
of all other local users.


Vulnerable versions:
--------------------
The firmware versions
* v2.00.00build00600 (latest available)
* v1.01.01
have been tested and they are vulnerable. It is assumed that all other
versions are vulnerable too.


Vendor contact timeline:
------------------------
2009-03-03: Asking support@ and security@level-one.de for a security contact,
            attaching the SEC Consult responsible disclosure document.
            I didn't find any reference to the security@ email address, it
            seems that it is not being used.
            http://global.level1.com/contactus.php
            http://www.level-one.de/impressum.php
2009-03-10: Asking again, adding info@digital-data.de to the email list
2009-03-13: Vendor (digital-data.de) reply
2009-03-17: Sending vendor (digital-data.de) detailed security advisory
            with proposed disclosure/release date
2009-03-23: Asking vendor (digital-data.de) whether they have verified the
            vulnerability
2009-03-23: Digital-data.de replies that the advisory information has been
            sent to LevelOne who have not anwsered yet 
2009-04-15: Asked the contact at digital-data.de about the status and told
            again that the advisory will be published on 2009-04-29 as 
            mentioned in the email from 2009-03-23 (according to disclosure
            policy).
2009-04-15: Received out-of-office reply until 2009-04-17, no answer
2009-04-27: Sent another reminder email with disclosure date info, received
            out-of-office until 2009-04-28 again, no answer
2009-04-29: Public disclosure


Solution:
---------
No vendor solution available, see workaround section.


Workaround:
-----------
Reduce the attack surface, don't use the (private) LAN ports where users don't
need authentication and only use the "private LAN" management port on demand
(e.g. remove the cable or disable the port on the switch where the AMG-2000 is
attached) so an attacker isn't able to access the internal network.

Use strong passwords for the administration interface and remove all default
accounts/passwords. Keep in mind that access to the admin interface/brute force
attacks are still possible due to the proxy vulnerability!


Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html#a53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO 
27001/BS 7799 in cooperation with BSI Management Systems. For more 
information, please refer to https://www.sec-consult.com/academy_e.html

EOF J. Greil / @2009