http://www.dslreports.com/forum/2Wire-Cross-Site-Request-Forgery-Vulnerability-19987755 en Sat, 25 May 2013 19:05:17 EDT Sat, 25 May 2013 19:05:17 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20571216 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20571216 Sat, 31 May 2008 23:58:55 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20529272 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20529272 Fri, 23 May 2008 13:19:05 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20520218 helpme.att.net/article.php?item=11659]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20520218 Wed, 21 May 2008 20:51:48 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20435951 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20435951 Mon, 05 May 2008 17:57:14 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20432960
I'll tell you the story now because it seems to have vanished.

I recently installed Pidgin because I became fed-up with the connection diarrhoea from Yahoo IM. My software firewall was in learning mode and learnt to allow Pidgin to connect to 239.255.255.250 . When I pinged this address the router responded, despite having it's address set to 192.168.n.m and no router DNS or DHCP. Then I checked and found it to be a IP multicast address only, and found it would not accept http when I tried.

I did wonder whether Pidgin used broadcast mode to do its UPnP bit of opening ports. My ignorance is total in this area.

Now I can't replicate the behaviour! I can't even ping that address!

Apologies for winding you all up about it, it really was not intentional.

EDIT - Aha! I view some video on youtube and lo:

Pinging 239.255.255.250 with 32 bytes of data:

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Reply from 192.168.n.m: bytes=32 time=1ms TTL=255

Ping statistics for 239.255.255.250:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Note that I've edited my router address.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20432960 Mon, 05 May 2008 03:40:41 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20432651
Of course since you refuse to provide any details, any answer will simply be a wild guess.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20432651 Mon, 05 May 2008 00:58:26 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20429171 said by koolkid1563:

Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): »192.168.1.254/xslt?PAGE=C06

Just out of curiosity, which program is it that you were referring to?
Yes, I have changed it and checked with ipconfig.

No, I'm not going to post the number in public, or even in private unless someone proves to me thay are a network security professional. Sorry!

I still don't fully understand the implications of what I've discovered.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20429171 Sun, 04 May 2008 07:51:41 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20415388 192.168.1.254/xslt?PAGE=C06

Just out of curiosity, which program is it that you were referring to?]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20415388 Thu, 01 May 2008 09:51:58 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20412593 [/BQUOTE

Update: phew, I can't use this numerical address for http even though ping works.

A little knowledge is certainly a dangerous thing!]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20412593 Wed, 30 Apr 2008 18:49:44 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20412488 said by Oligarchy:

...If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X) I don't think this works: there seems to be a numerical address that could be used that always points to the router.

I'm no expert, but I got curious about an address an application was using and found it points to the 2-wire 2700 I have despite taking all the measures above.

Maybe I'm too cautious, but I don't think I'll post the number in public.

If this carries on unfixed I'm going to ditch this router.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20412488 Wed, 30 Apr 2008 18:29:17 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20320384 2700HGB Firmware 4.19.25

As a non-expert here, would running Open DNS make a difference in any of this? If not, could somone please explain to me and the lay people how to map home and gateway.2wire.net/ sites to the host file and to change the 192.168.1.254 to something else?

It would be greatly appreciated.

Thanks for your time!]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20320384 Fri, 11 Apr 2008 20:52:06 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20314687 said by jandar1:

2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass. Hey Jandar, as an interested owner of another 2701GH-B that is susceptible to the exploits (got the 2701 from AT&T this week, v5.29.109.5), how did you get the updated firware?

As my 2701 is telling me no updates available when checking for firmware updates. And AT&T support site and 2Wire website do not have updates listed either.

Scott]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20314687 Thu, 10 Apr 2008 18:40:20 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20309255
It might take awhile, but at least they are trying.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20309255 Wed, 09 Apr 2008 16:15:06 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20309101 said by sasparilla:

This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far. AT&T claims they've already rolled it out to the majority of its customers. »tech.slashdot.org/tech/08/04/08/···14.shtml

None of this helps us poor HomePortal 1xxx users, since we can't use 5.xx firmwares. No update for us, it seems. My 1701HG remains very hackable. »AT&T claims this is fixed???]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20309101 Wed, 09 Apr 2008 15:51:22 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20308651 said by jandar1:

2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass. Simple enough fix.
This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far.

If I go to "View Available System Upgrades" on my AT&T/2Wire 2701HG-B, which has never been updated since it came from AT&T, it shows none available....Software version is 5.29.109.5. :-(

So, while a fix is supposedly out there, its apparantly not out there for everyone yet. :hmm:]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20308651 Wed, 09 Apr 2008 14:21:30 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20304523 Software: 5.29.109.11

With a system password set, none of those exploits work. It always prompts me to enter my current pass.

Simple enough fix.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20304523 Tue, 08 Apr 2008 19:10:51 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20298110 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20298110 Mon, 07 Apr 2008 16:54:07 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20040826 said by "kookid1563" :

---

I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.

---

agreed. you can change the wireless settings (SSID, change to WEP OR WPA or unsecured, or jsut change the passphrase for each) , change firewall settings, disable interfaces, reboot, etc. There's many hidden pages that you can't find through the interface if you just go up sequentially through the A, H, J, etcetera pages.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20040826 Thu, 21 Feb 2008 23:25:35 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20024315
Great tips on how to secure yourself though, but still, the general population isn't going to want to or really know how to do that.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20024315 Tue, 19 Feb 2008 14:05:38 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20017113 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20017113 Mon, 18 Feb 2008 12:42:51 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20015472
What you can do, though, is if you go to that site and run the link with a password you do want to use, it should work again. If you don't want to do that, then the other way is by pressing and holding the reset button for 30 seconds to factory reset the modem.]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20015472 Mon, 18 Feb 2008 02:36:02 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20014198
2700HG-D Gateway
• Software: 4.25.19-QT01


»support.2wire.com/cgi-bin/twowir···opview=1
--
Thermaltake 2000a/Asus P4C-e/p4 3.4/ocz3500 2x512/WD.2x200g/raptor2x74 raid 0/ATI 9600/APC sua 1500/Logitech z-680/ Samsung 213t LCD/MX 1000]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-20014198 Sun, 17 Feb 2008 20:23:56 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-19991925 http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-19991925 Wed, 13 Feb 2008 22:36:50 EDT http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-19988691
Update: I just tried this on by 2700HGV with BT 5.29.107.19 firmware , and it said an unknown error has occurred. But I might not be doing it right. I just went straight to the H04_POST and it asked me to choose a password and hint. I pressed next and got an unknown error has occurred then it took me back to the page.

Update: My mistake. The password was changed!! The Irony is the BT firmware runs without a password anyway so it was always open to abuse.
This is a good thing for all those locked mdc password :)
but a bad thing really :)]]> http://www.dslreports.com/forum/Re-2Wire-Cross-Site-Request-Forgery-Vulnerability-19988691 Wed, 13 Feb 2008 14:27:13 EDT http://www.dslreports.com/forum/2Wire-Cross-Site-Request-Forgery-Vulnerability-19987755
This vulnerability allows any attacker to modify configuration of the 2Wire router (all models tested against have worked, 1000SW, 1701, 1801, 2700, 2701, 3700, 3800) and all software versions but 3.5.X.X.

»www.securityfocus.com/bid/27516/

The exploit tab isn't completely correct, because the URL shown has an invalid domain. Correct domains that work and the the most common are: gateway.2wire.net, home, and 192.168.1.254. Of course, you can change the IP to any RFC 1918 address, but I wouldn't expect too many users to have done that. Regardless, unless they change the DNS mapping of HOME and gateway.2wire.net, then they are vulnerable to a non-directed attack. The main point of the URL is to show that any attacker could change the password, and authenticate, with one command. The page that is vulnerable is the H04_POST page that is run through the xslt parser. It doesn't validate authentication before setting the password. A very simple check of requiring the old password would have worked great here.

How does this make you vulnerable?

The simplest method (and the currently seen method) is to include the URI in a IMG tag set to height 1 and width 1

The possibilities are endless with this. It could be put into a picture and posted in a thread here, on MySpace, Facebook, etc., or it could be put into an email targeted at specific ISPs that use 2Wire (BT, AT&T, Telmex, Qwest, or any other 2Wire customer I am not aware of)

»www.securityfocus.com/bid/27246

These may look the same, but there are differences. The core of the attack is the password change. You can't make any of the changes following (I.E., adding DNS entries) unless you have authenticated. The authentication attack in this is only valid for a certain period of time and you have to be lured while still using the same browser that authenticated. The other URIs are good examples of what's being used currently to include pharming attacks.

How to protect against it?

The attacks that have been see attempt three domains:
»gateway.2wire.net/
»home/
»192.168.1.254

The simplest way is to create a host file and map 127.0.0.1 to home and 2wire.gateway.net.

Windows example: »www.mvps.org/winhelp2002/hosts.htm

If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X)

This protects against the base of the attack, you can protect against some of the pharming attacks by not using your RG as the DNS resolver. Just view the addresses that the RG uses to resolve, and plug those into your IP settings. Ensure you clear your DNS cache using ipconfig /flushdns, if you're using windows]]> http://www.dslreports.com/forum/2Wire-Cross-Site-Request-Forgery-Vulnerability-19987755 Wed, 13 Feb 2008 12:19:31 EDT