dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
30694
share rss forum feed

Oligarchy

join:2008-02-12
San Diego, CA

1 edit

1 recommendation

2Wire Cross Site Request Forgery Vulnerability

This is cross-posted in the Security, but I wanted to ensure it was seen here.

This vulnerability allows any attacker to modify configuration of the 2Wire router (all models tested against have worked, 1000SW, 1701, 1801, 2700, 2701, 3700, 3800) and all software versions but 3.5.X.X.

»www.securityfocus.com/bid/27516/

The exploit tab isn't completely correct, because the URL shown has an invalid domain. Correct domains that work and the the most common are: gateway.2wire.net, home, and 192.168.1.254. Of course, you can change the IP to any RFC 1918 address, but I wouldn't expect too many users to have done that. Regardless, unless they change the DNS mapping of HOME and gateway.2wire.net, then they are vulnerable to a non-directed attack. The main point of the URL is to show that any attacker could change the password, and authenticate, with one command. The page that is vulnerable is the H04_POST page that is run through the xslt parser. It doesn't validate authentication before setting the password. A very simple check of requiring the old password would have worked great here.

How does this make you vulnerable?

The simplest method (and the currently seen method) is to include the URI in a IMG tag set to height 1 and width 1

The possibilities are endless with this. It could be put into a picture and posted in a thread here, on MySpace, Facebook, etc., or it could be put into an email targeted at specific ISPs that use 2Wire (BT, AT&T, Telmex, Qwest, or any other 2Wire customer I am not aware of)

»www.securityfocus.com/bid/27246

These may look the same, but there are differences. The core of the attack is the password change. You can't make any of the changes following (I.E., adding DNS entries) unless you have authenticated. The authentication attack in this is only valid for a certain period of time and you have to be lured while still using the same browser that authenticated. The other URIs are good examples of what's being used currently to include pharming attacks.

How to protect against it?

The attacks that have been see attempt three domains:
»gateway.2wire.net/
»home/
»192.168.1.254

The simplest way is to create a host file and map 127.0.0.1 to home and 2wire.gateway.net.

Windows example: »www.mvps.org/winhelp2002/hosts.htm

If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X)

This protects against the base of the attack, you can protect against some of the pharming attacks by not using your RG as the DNS resolver. Just view the addresses that the RG uses to resolve, and plug those into your IP settings. Ensure you clear your DNS cache using ipconfig /flushdns, if you're using windows


ydrol

join:2007-06-28

4 edits

On the bright side, would this be a way for people to access the MDC page, where the MDC password is super secret?

Update: I just tried this on by 2700HGV with BT 5.29.107.19 firmware , and it said an unknown error has occurred. But I might not be doing it right. I just went straight to the H04_POST and it asked me to choose a password and hint. I pressed next and got an unknown error has occurred then it took me back to the page.

Update: My mistake. The password was changed!! The Irony is the BT firmware runs without a password anyway so it was always open to abuse.
This is a good thing for all those locked mdc password
but a bad thing really


scsa20

join:2007-12-04
Queen Creek, AZ
reply to Oligarchy

Tested the password thing on my 1000HG running SBC firmware 4.25.19. It caused it to restart it but still changed the password.



plk
Premium
join:2002-04-20
united state

1 edit
reply to Oligarchy

Well, it reset my password, and the instructions on 2wire's web site do not work to restore it. Any suggestions?

2700HG-D Gateway
• Software: 4.25.19-QT01

»support.2wire.com/cgi-bin/twowir···opview=1
--
Thermaltake 2000a/Asus P4C-e/p4 3.4/ocz3500 2x512/WD.2x200g/raptor2x74 raid 0/ATI 9600/APC sua 1500/Logitech z-680/ Samsung 213t LCD/MX 1000


scsa20

join:2007-12-04
Queen Creek, AZ

Does it ask you for the 10 digit system key (which is the wireless WEP encryption code) or is it giving you a 20 digit number? If it's giving you a 20 digit number you'll have to call them.

What you can do, though, is if you go to that site and run the link with a password you do want to use, it should work again. If you don't want to do that, then the other way is by pressing and holding the reset button for 30 seconds to factory reset the modem.


Wake2

join:2005-04-30
reply to plk

plk try admin as the password.



koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
reply to Oligarchy

I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.

Great tips on how to secure yourself though, but still, the general population isn't going to want to or really know how to do that.


Oligarchy

join:2008-02-12
San Diego, CA

said by "kookid1563" :
I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.
agreed. you can change the wireless settings (SSID, change to WEP OR WPA or unsecured, or jsut change the passphrase for each) , change firewall settings, disable interfaces, reboot, etc. There's many hidden pages that you can't find through the interface if you just go up sequentially through the A, H, J, etcetera pages.


koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
reply to Oligarchy

I just thought that I would update this. AT&T has released a new firmware upgrade for the 3800 series 2wire RG that their U-verse service uses. It requires that a password always be set, and that the current password be known/entered to change it. They have also completely removed the DNS resolve page from the MDC. They released a UI hotfix not too long ago that made the H04 page unable to change the password, but this new firmware upgrade has deleted the UI hotfix as it has not only fixed what I mentioned above, but it has also removed the H04 password change page completely.


jandar1

join:2006-01-16
Middleburg, FL
reply to Oligarchy

2Wire 2701HG-B
Software: 5.29.109.11

With a system password set, none of those exploits work. It always prompts me to enter my current pass.

Simple enough fix.


sasparilla

join:2008-04-09
Round Lake, IL

said by jandar1:

2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass. Simple enough fix.
This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far.

If I go to "View Available System Upgrades" on my AT&T/2Wire 2701HG-B, which has never been updated since it came from AT&T, it shows none available....Software version is 5.29.109.5. :-(

So, while a fix is supposedly out there, its apparantly not out there for everyone yet.


left_out

@sbcglobal.net

said by sasparilla:

This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far.
AT&T claims they've already rolled it out to the majority of its customers. »tech.slashdot.org/tech/08/04/08/···14.shtml

None of this helps us poor HomePortal 1xxx users, since we can't use 5.xx firmwares. No update for us, it seems. My 1701HG remains very hackable. »AT&T claims this is fixed???


koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY

1 edit
reply to sasparilla

Note that the fix may not be in the form of a firmware upgrade. AT&T first fixed this issue on the 3800 series with a UI Hotfix that got applied. The firmware upgrade included the hotfix in it's code so the hotfix was no longer needed.

It might take awhile, but at least they are trying.


sasparilla

join:2008-04-09
Round Lake, IL

1 edit
reply to jandar1

said by jandar1:

2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass.
Hey Jandar, as an interested owner of another 2701GH-B that is susceptible to the exploits (got the 2701 from AT&T this week, v5.29.109.5), how did you get the updated firware?

As my 2701 is telling me no updates available when checking for firmware updates. And AT&T support site and 2Wire website do not have updates listed either.

Scott


trainerman

join:2005-06-30
Columbia, MO
reply to Oligarchy

Windows Xp
2700HGB Firmware 4.19.25

As a non-expert here, would running Open DNS make a difference in any of this? If not, could somone please explain to me and the lay people how to map home and gateway.2wire.net/ sites to the host file and to change the 192.168.1.254 to something else?

It would be greatly appreciated.

Thanks for your time!


bjparker

join:2004-09-13
England
reply to Oligarchy

said by Oligarchy:

...If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X)
I don't think this works: there seems to be a numerical address that could be used that always points to the router.

I'm no expert, but I got curious about an address an application was using and found it points to the 2-wire 2700 I have despite taking all the measures above.

Maybe I'm too cautious, but I don't think I'll post the number in public.

If this carries on unfixed I'm going to ditch this router.

bjparker

join:2004-09-13
England

[BQUOTE=bjparkerI don't think this works: there seems to be a numerical address that could be used that always points to the router.
[/BQUOTE

Update: phew, I can't use this numerical address for http even though ping works.

A little knowledge is certainly a dangerous thing!



koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY

1 edit

Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): »192.168.1.254/xslt?PAGE=C06

Just out of curiosity, which program is it that you were referring to?


bjparker

join:2004-09-13
England

said by koolkid1563:

Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): »192.168.1.254/xslt?PAGE=C06

Just out of curiosity, which program is it that you were referring to?
Yes, I have changed it and checked with ipconfig.

No, I'm not going to post the number in public, or even in private unless someone proves to me thay are a network security professional. Sorry!

I still don't fully understand the implications of what I've discovered.


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

Are you sure that the mystery application is not simply using the hostname gateway.2wire.net instead of a hard coded IP address? If you are using the 2wire router for DNS resolution, that hostname will always resolve to the current IP address for the router.

Of course since you refuse to provide any details, any answer will simply be a wild guess.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.


bjparker

join:2004-09-13
England

2 edits
reply to Oligarchy

I've probably started a very red herring here! A little knowledge is a dangerous thing!

I'll tell you the story now because it seems to have vanished.

I recently installed Pidgin because I became fed-up with the connection diarrhoea from Yahoo IM. My software firewall was in learning mode and learnt to allow Pidgin to connect to 239.255.255.250 . When I pinged this address the router responded, despite having it's address set to 192.168.n.m and no router DNS or DHCP. Then I checked and found it to be a IP multicast address only, and found it would not accept http when I tried.

I did wonder whether Pidgin used broadcast mode to do its UPnP bit of opening ports. My ignorance is total in this area.

Now I can't replicate the behaviour! I can't even ping that address!

Apologies for winding you all up about it, it really was not intentional.

EDIT - Aha! I view some video on youtube and lo:

Pinging 239.255.255.250 with 32 bytes of data:

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Ping statistics for 239.255.255.250:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Note that I've edited my router address.



koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY

Is n.m the default 1.254, or is it whatever IP you have moved the 2wire to?


sodagreen

join:2007-01-13
Taiwan
reply to Oligarchy

Here are AT&T's instructions on how to verify you have been patched and are secure. »helpme.att.net/article.php?item=11659


remarc

join:2007-08-10
Philippines

well... finally, a new patch. its loong been overdue. lolz!



jr9730

join:2000-11-22
Torrance, CA
reply to Oligarchy

Chances are its been on your 2Wire for weeks to months by now without you knowing it.. : )