Zyxel NWA50AX Pro Hit by N-Day Flaw Allowing Arbitrary File Deletion

A recent vulnerability has been discovered in the Zyxel NWA50AX Pro, a WiFi 6 access point for small businesses, exposing it to an n-day flaw that allows arbitrary file deletion via a misconfigured CGI endpoint.

This issue, tracked as CVE-2024-29974, highlights the risks of shared codebases and incomplete patching in embedded devices.

Discovery and Technical Analysis

The flaw was identified during a casual vulnerability research session, where the researcher analyzed the device’s firmware and web server configuration.

The Zyxel NWA50AX Pro runs a lighttpd web server, with configuration files referencing modules such as mod_access, mod_alias, mod_redirect, mod_rewrite, mod_setenv, and mod_openssl.

The document root is set to /usr/local/zyxel-gui/htdocs, and CGI binaries are used for web functionalities.

Authentication is managed by custom configuration files like auth_zyxel.conf, which define global and user-specific URL whitelists using parameters such as AuthZyxelSkipPattern and AuthZyxelSkipUserPattern.

By enumerating these whitelisted paths, the researcher found that certain CGI endpoints, including /cgi-bin/file_upload-cgi, could be accessed without authentication under specific URL permutations.

Static analysis using Ghidra revealed that the file_upload-cgi binary processes user-supplied parameters such as file_path, file_path.length, and file_path.filename.

The code concatenates the user-controlled file_path.filename to a static /tmp directory using snprintf, creating a path traversal vulnerability.

The binary then calls unlink to delete the specified file and rename to move another file in its place.

By crafting a POST request with manipulated parameters, an attacker can delete arbitrary files on the device, such as the login page logo image, without authentication.

A proof-of-concept POST request to /cgi-bin/file_upload-cgi/images with a crafted payload successfully deleted a critical file, demonstrating the arbitrary file deletion primitive.

This vulnerability could be leveraged for further attacks, such as replacing configuration or password files, potentially leading to privilege escalation or denial of service.

Patch Status and Broader Implications

Newer firmware versions attempt to patch the flaw by checking for authentication cookies like authtok=, but many devices remain unpatched and exposed on the public internet.

The issue underscores the challenges of vulnerability management in environments where code reuse is prevalent and CVE coverage is incomplete.

The CVE-2024-29974 flaw in the Zyxel NWA50AX Pro exemplifies the risks of insufficiently secured embedded devices and the importance of rigorous vulnerability research.

Administrators are urged to review their device firmware and apply available patches to mitigate the risk of arbitrary file deletion attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates