Watchguard Hard-Coded Credentials / Failed Controls

`Introduction  
============  
  
Multiple vulnerabilities can be chained together in a number of  
WatchGuard AP products which result in pre-authenticated remote code  
execution.  
  
The vendor has produced a knowledge-base article[1] and  
announcement[2] regarding these issues.  
  
ZX Security would like to commend the prompt response and resolution  
of these reported issues by the vendor.  
  
Product  
=======  
  
Several WatchGuard Access Points running firmware before v1.2.9.15 are  
affected, including:  
* AP100  
* AP102  
* AP200  
  
The AP300 is also affected by issues 2, 3 and 4 when running firmware  
before 2.0.0.10.  
  
The latest firmware update resolves these issues.  
  
Technical Details  
=================  
  
1) Hard-coded credentials  
-------------------------  
CVE-2018-10575  
  
A hard-coded user exists in /etc/passwd. The vendor has requested the  
specific password and hash be withheld until users can apply the  
patch.  
There is no way for a user of the access point to change this  
password. An attacker who is aware of this password is able to access  
the device over SSH and pivot network requests through the device,  
though they may not run commands as the shell is set to /bin/false.  
  
2) Hidden authentication method in web interface allows for  
authentication bypass  
---------------------------------------------------------------------------------  
CVE-2018-10576  
  
The standard authentication method for accessing the webserver  
involves submitting an HTML form. This uses a username and password  
separate from the standard Linux based /etc/passwd authentication.  
An alternative authentication method was identified from reviewing the  
source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS,  
credentials are instead tested against the standard Linux /etc/passwd  
file. This allows an attacker to use the hardcoded credentials found  
previously (see 1. Hard-coded credentials) to gain web access to the  
device.  
An example command that demonstrates this issue is:  
curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER:  
admin" -H "AUTH_PASS: [REDACTED]" -k -v  
  
This session allows for complete access to the web interface as an  
administrator.  
  
3) Hidden "wgupload" functionality allows for file uploads as root and  
remote code execution  
--------------------------------------------------------------------------------------------  
CVE-2018-10577  
  
Reviewing the code reveals file upload functionality that is not shown  
to the user via the web interface. An attacker needs only a serial  
number (which is displayed to the user when they login to the device  
through the standard web interface and can be retrieved  
programmatically) and a valid session.  
An example request to demonstrate this issue is:  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",  
'headers' => {  
'AUTH_USER' => 'admin',  
'AUTH_PASS' => '[REDACTED]',  
},  
'cookie' => "#{sysauth}; serial=#{serial};  
filename=/www/cgi-bin/payload.luci; md5sum=fail",  
'data' => "#!/usr/bin/lua  
os.execute('touch /code-execution');  
})  
  
An attacker can then visit the URL  
http://watchguard-ap200/cgi-bin/payload.luci to execute this command  
(or any other command).  
  
4) Change password functionality incorrectly verifies old password  
------------------------------------------------------------------  
CVE-2018-10578  
  
The change password functionality within the web interface attempts to  
verify the old password before setting a new one, however, this is  
done through AJAX. An attacker is able to simply modify the JavaScript  
to avoid this check or perform the POST request manually.  
  
Metasploit Module  
=================  
  
ZX Security will be releasing a Metasploit module which automates  
exploitation of this chain of vulnerabilities. This has been delayed  
till 30 days after the initial patch was made available to ensure  
users are able to patch their devices.  
The module and the hard-coded password will be released on May the 14th 2018.  
  
Disclosure Timeline  
===================  
  
Vendor notification: April 04, 2018  
Vendor response: April 06, 2018  
Firmware update released to public: April 13, 2018  
Metasploit module release: May 14, 2018  
  
References  
==========  
  
[1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy  
[2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes  
  
  
`