jr9730
join:2000-11-22
Torrance, CA | reply to Oligarchy
Re: 2Wire Cross Site Request Forgery Vulnerability
Chances are its been on your 2Wire for weeks to months by now without you knowing it.. : ) |
|
remarc
join:2007-08-10
Philippines | reply to sodagreen
well... finally, a new patch. its loong been overdue. lolz! |
|
sodagreen
join:2007-01-13
Taiwan | reply to Oligarchy
Here are AT&T's instructions on how to verify you have been patched and are secure. »helpme.att.net/article.php?item=11659 |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs: | reply to bjparker
Is n.m the default 1.254, or is it whatever IP you have moved the 2wire to? |
|
bjparker
join:2004-09-13
England
2 edits | reply to Oligarchy
I've probably started a very red herring here! A little knowledge is a dangerous thing!
I'll tell you the story now because it seems to have vanished.
I recently installed Pidgin because I became fed-up with the connection diarrhoea from Yahoo IM. My software firewall was in learning mode and learnt to allow Pidgin to connect to 239.255.255.250 . When I pinged this address the router responded, despite having it's address set to 192.168.n.m and no router DNS or DHCP. Then I checked and found it to be a IP multicast address only, and found it would not accept http when I tried.
I did wonder whether Pidgin used broadcast mode to do its UPnP bit of opening ports. My ignorance is total in this area.
Now I can't replicate the behaviour! I can't even ping that address!
Apologies for winding you all up about it, it really was not intentional.
EDIT - Aha! I view some video on youtube and lo:
Pinging 239.255.255.250 with 32 bytes of data:
Reply from 192.168.n.m: bytes=32 time=1ms TTL=255
Reply from 192.168.n.m: bytes=32 time=1ms TTL=255
Reply from 192.168.n.m: bytes=32 time=1ms TTL=255
Reply from 192.168.n.m: bytes=32 time=1ms TTL=255
Ping statistics for 239.255.255.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Note that I've edited my router address. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
| reply to bjparker
Are you sure that the mystery application is not simply using the hostname gateway.2wire.net instead of a hard coded IP address? If you are using the 2wire router for DNS resolution, that hostname will always resolve to the current IP address for the router.
Of course since you refuse to provide any details, any answer will simply be a wild guess.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
bjparker
join:2004-09-13
England
| reply to koolkid1563
said by koolkid1563  :Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): » 192.168.1.254/xslt?PAGE=C06Just out of curiosity, which program is it that you were referring to? Yes, I have changed it and checked with ipconfig.
No, I'm not going to post the number in public, or even in private unless someone proves to me thay are a network security professional. Sorry!
I still don't fully understand the implications of what I've discovered. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
 ·Bresnan Online
1 edit | reply to bjparker
Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): »192.168.1.254/xslt?PAGE=C06
Just out of curiosity, which program is it that you were referring to? |
|
bjparker
join:2004-09-13
England
| reply to bjparker
[BQUOTE=bjparkerI don't think this works: there seems to be a numerical address that could be used that always points to the router.
[/BQUOTE
Update: phew, I can't use this numerical address for http even though ping works.
A little knowledge is certainly a dangerous thing! |
|
bjparker
join:2004-09-13
England
| reply to Oligarchy
said by Oligarchy :...If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X) I don't think this works: there seems to be a numerical address that could be used that always points to the router.
I'm no expert, but I got curious about an address an application was using and found it points to the 2-wire 2700 I have despite taking all the measures above.
Maybe I'm too cautious, but I don't think I'll post the number in public.
If this carries on unfixed I'm going to ditch this router. |
|
trainerman
join:2005-06-30
Columbia, MO
| reply to Oligarchy
Windows Xp
2700HGB Firmware 4.19.25
As a non-expert here, would running Open DNS make a difference in any of this? If not, could somone please explain to me and the lay people how to map home and gateway.2wire.net/ sites to the host file and to change the 192.168.1.254 to something else?
It would be greatly appreciated.
Thanks for your time! |
|
sasparilla
join:2008-04-09
Round Lake, IL
1 edit | reply to jandar
said by jandar :2Wire 2701HG-B Software: 5.29.109.11 With a system password set, none of those exploits work. It always prompts me to enter my current pass. Hey Jandar, as an interested owner of another 2701GH-B that is susceptible to the exploits (got the 2701 from AT&T this week, v5.29.109.5), how did you get the updated firware?
As my 2701 is telling me no updates available when checking for firmware updates. And AT&T support site and 2Wire website do not have updates listed either.
Scott |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
1 edit | reply to sasparilla
Note that the fix may not be in the form of a firmware upgrade. AT&T first fixed this issue on the 3800 series with a UI Hotfix that got applied. The firmware upgrade included the hotfix in it's code so the hotfix was no longer needed.
It might take awhile, but at least they are trying. |
|
left_out
@sbcglobal.net
| reply to sasparilla
said by sasparilla :This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far. AT&T claims they've already rolled it out to the majority of its customers. »tech.slashdot.org/tech/08/04/08/···14.shtml
None of this helps us poor HomePortal 1xxx users, since we can't use 5.xx firmwares. No update for us, it seems. My 1701HG remains very hackable. »AT&T claims this is fixed??? |
|
sasparilla
join:2008-04-09
Round Lake, IL
| reply to jandar
said by jandar :2Wire 2701HG-B Software: 5.29.109.11 With a system password set, none of those exploits work. It always prompts me to enter my current pass. Simple enough fix. This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far.
If I go to "View Available System Upgrades" on my AT&T/2Wire 2701HG-B, which has never been updated since it came from AT&T, it shows none available....Software version is 5.29.109.5. :-(
So, while a fix is supposedly out there, its apparantly not out there for everyone yet.  |
|
jandar
join:2006-01-16
Middleburg, FL | reply to Oligarchy
2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass.
Simple enough fix. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
| reply to Oligarchy
I just thought that I would update this. AT&T has released a new firmware upgrade for the 3800 series 2wire RG that their U-verse service uses. It requires that a password always be set, and that the current password be known/entered to change it. They have also completely removed the DNS resolve page from the MDC. They released a UI hotfix not too long ago that made the H04 page unable to change the password, but this new firmware upgrade has deleted the UI hotfix as it has not only fixed what I mentioned above, but it has also removed the H04 password change page completely. |
|
Oligarchy
join:2008-02-12
San Diego, CA
| reply to koolkid1563
said by "kookid1563" :
I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.
agreed. you can change the wireless settings (SSID, change to WEP OR WPA or unsecured, or jsut change the passphrase for each) , change firewall settings, disable interfaces, reboot, etc. There's many hidden pages that you can't find through the interface if you just go up sequentially through the A, H, J, etcetera pages. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
| reply to Oligarchy
I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.
Great tips on how to secure yourself though, but still, the general population isn't going to want to or really know how to do that. |
|
Wake2
join:2005-04-30 | reply to plk
plk try admin as the password. |
|
