Watchguard Hard-Coded Credentials / Failed Controls

WatchGuard Access Points running firmware before version suffer from hard-coded credential, hidden authentication, file upload, and incorrect validation vulnerabilities.

MD5 | 2ce103fc55de9e6fbe94f48a5f490449


Multiple vulnerabilities can be chained together in a number of
WatchGuard AP products which result in pre-authenticated remote code

The vendor has produced a knowledge-base article[1] and
announcement[2] regarding these issues.

ZX Security would like to commend the prompt response and resolution
of these reported issues by the vendor.


Several WatchGuard Access Points running firmware before v1.2.9.15 are
affected, including:
* AP100
* AP102
* AP200

The AP300 is also affected by issues 2, 3 and 4 when running firmware

The latest firmware update resolves these issues.

Technical Details

1) Hard-coded credentials

A hard-coded user exists in /etc/passwd. The vendor has requested the
specific password and hash be withheld until users can apply the
There is no way for a user of the access point to change this
password. An attacker who is aware of this password is able to access
the device over SSH and pivot network requests through the device,
though they may not run commands as the shell is set to /bin/false.

2) Hidden authentication method in web interface allows for
authentication bypass

The standard authentication method for accessing the webserver
involves submitting an HTML form. This uses a username and password
separate from the standard Linux based /etc/passwd authentication.
An alternative authentication method was identified from reviewing the
source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS,
credentials are instead tested against the standard Linux /etc/passwd
file. This allows an attacker to use the hardcoded credentials found
previously (see 1. Hard-coded credentials) to gain web access to the
An example command that demonstrates this issue is:
curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER:
admin" -H "AUTH_PASS: [REDACTED]" -k -v

This session allows for complete access to the web interface as an

3) Hidden "wgupload" functionality allows for file uploads as root and
remote code execution

Reviewing the code reveals file upload functionality that is not shown
to the user via the web interface. An attacker needs only a serial
number (which is displayed to the user when they login to the device
through the standard web interface and can be retrieved
programmatically) and a valid session.
An example request to demonstrate this issue is:
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
'headers' => {
'AUTH_USER' => 'admin',
'cookie' => "#{sysauth}; serial=#{serial};
filename=/www/cgi-bin/payload.luci; md5sum=fail",
'data' => "#!/usr/bin/lua
os.execute('touch /code-execution');

An attacker can then visit the URL
http://watchguard-ap200/cgi-bin/payload.luci to execute this command
(or any other command).

4) Change password functionality incorrectly verifies old password

The change password functionality within the web interface attempts to
verify the old password before setting a new one, however, this is
done through AJAX. An attacker is able to simply modify the JavaScript
to avoid this check or perform the POST request manually.

Metasploit Module

ZX Security will be releasing a Metasploit module which automates
exploitation of this chain of vulnerabilities. This has been delayed
till 30 days after the initial patch was made available to ensure
users are able to patch their devices.
The module and the hard-coded password will be released on May the 14th 2018.

Disclosure Timeline

Vendor notification: April 04, 2018
Vendor response: April 06, 2018
Firmware update released to public: April 13, 2018
Metasploit module release: May 14, 2018



Related Posts