SEC Consult Security Advisory < 20090429-0 >
====================================================================== title: Proxy bypass vulnerability & plain text passwords
in LevelOne AMG-2000
product: LevelOne AMG-2000 Wireless AP Management Gateway
vulnerable version: Firmware <=2.00.00build00600
by: J. Greil / SEC Consult / www.sec-consult.com
"LevelOne was established in 1991 in Dortmund, Germany by Digital Data
Communications GmbH. By providing quality networking products and solutions,
we've grown steadily throughout the years with Branch Offices in 20 countries
around the world."
"AMG-2000 is an AP Management Gateway dedicatedly designed for small to
medium-sized network deployment and management, making it an ideal solution
for easily creating and extending WLANs in SMB offices. With its user
management features, administrators will be able to manage the whole process
of wireless network access. In addition, Access Point (AP) management
functions allow administrators to discover, configure, update, and monitor all
managed APs from a single secured interface, and from there, gain full control
of entire wireless network."
& AMG-2000 Manual v2.0, Jun-13-2007
AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN
or Internet, e.g. by supplying a username/password on the portal site (depends
on how the system is configured, e.g. on-demand "guest" users or
authentication via RADIUS, LDAP or NT domain). This built-in proxy is
misconfigured which leads to the following vulnerability:
1) An _authenticated_ WLAN guest user/attacker is able to access the
restricted administration interface of the AMG-2000 with specially crafted
HTTP requests. Furthermore an attacker is able to access the internal company
network over the wireless network!
2) The administration interface shows the passwords of all locally configured
users (e.g. on-demand/guest users) and other sensitive settings in plain text.
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.
2) All passwords from local user accounts, such as on-demand guest users, are
shown in plain text in the admin interface (e.g. also see manual screenshots).
An attacker may gain access to the interface through weak default passwords
that have been forgotten to be changed.
The configured users are e.g. accessible/manageable via the default system
accounts "operator" (pw: operator, on-demand users only) or "manager" (pw:
manager, access to the whole user authentication area), hence an attacker
doesn't necessarily need the admin password.
An attacker may exploit those accounts to gain further access to the system
and surf on the Internet on behalf of other users (e.g. ones without a time
restriction) or create arbitrary WLAN users for later access.
Proof of concept:
* Example IP address of the AMG-2000 gateway: 192.168.0.1
* E.g. use a local proxy such as burp to manipulate the request of the browser
to the gateway or write your own scripts.
a) HTTP request to access the administration interface login page from the
================================GET http://127.0.0.1/ HTTP/1.1
b) HTTP request to login to the admin interface with the user "manager":
================================POST http://127.0.0.1/check.shtml HTTP/1.1
c) HTTP request to access other internal IP addresses configured on the
private LAN port:
================================GET http://10.0.0.1/ HTTP/1.1
2) Just try the default accounts (operator, manager) to access all passwords
of all other local users.
The firmware versions
* v2.00.00build00600 (latest available)
have been tested and they are vulnerable. It is assumed that all other
versions are vulnerable too.
Vendor contact timeline:
2009-03-03: Asking support@ and email@example.com for a security contact,
attaching the SEC Consult responsible disclosure document.
I didn't find any reference to the security@ email address, it
seems that it is not being used.
2009-03-10: Asking again, adding firstname.lastname@example.org to the email list
2009-03-13: Vendor (digital-data.de) reply
2009-03-17: Sending vendor (digital-data.de) detailed security advisory
with proposed disclosure/release date
2009-03-23: Asking vendor (digital-data.de) whether they have verified the
2009-03-23: Digital-data.de replies that the advisory information has been
sent to LevelOne who have not anwsered yet
2009-04-15: Asked the contact at digital-data.de about the status and told
again that the advisory will be published on 2009-04-29 as
mentioned in the email from 2009-03-23 (according to disclosure
2009-04-15: Received out-of-office reply until 2009-04-17, no answer
2009-04-27: Sent another reminder email with disclosure date info, received
out-of-office until 2009-04-28 again, no answer
2009-04-29: Public disclosure
No vendor solution available, see workaround section.
Reduce the attack surface, don't use the (private) LAN ports where users don't
need authentication and only use the "private LAN" management port on demand
(e.g. remove the cable or disable the port on the switch where the AMG-2000 is
attached) so an attacker isn't able to access the internal network.
Use strong passwords for the administration interface and remove all default
accounts/passwords. Keep in mind that access to the admin interface/brute force
attacks are still possible due to the proxy vulnerability!
SEC Consult Unternehmensberatung GmbH
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html
EOF J. Greil / @2009