dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
44998

evad123
@pacbell.net

evad123

Anon

DNS Hijack on 2wire routers?

Hi everybody,
Just yesterday I noticed I couldn't access google.com. I didn't figure out what happened until I ran a ping to google.com and it returned ip address 85.207.10.68. Which did not seem like the google ip address. I confirmed this by running online ping tools and resolved google.com to something else.

What is interesting is that after googling the above result, I came across this:
»pastebin.com/m371e42e7
It would seem it is rather simple attack where a page would load fake image with urls that attempt to change 2wire's dns name table. When I checked my 2wire dns name table, of course google.com is there along with others on that page.
I am rather concerned with this, it seems that I happened to visit some website that contained the above code and just so happened to be also authenticated in my 2wire setup interface (I log in often to monitor line quality). I'm not sure what I can do to prevent this and it is highly disturbing. Any thoughts?

Thank you.
upb
Premium Member
join:2004-03-15
Carriere, MS

upb

Premium Member

You appear to be describing the 2wire vulnerability discussed below in the thread »2Wire Cross Site Request Forgery Vulnerability

Several ways of protecting yourself from the vulnerability are suggested there.

jr9730
join:2000-11-22
Torrance, CA

jr9730

Member

The fix is under way..
bjparker
join:2004-09-13
England

bjparker

Member

said by jr9730:

The fix is under way..
When? My router got attacked today, for the second time in a month, fortunately I had a partial fix in place that just meant the DNS stopped working (presumably they block OpenDNS).

These exploits have been talked of for 1 year and in the wild for about 3 months!

Does 2wire actually do anything?
muiredised
ESSE QUAM VIDERI
join:2007-06-11
Tacoma, WA

muiredised

Member

You can implement a temporary fix yourself. The first post in the following thread describes how to protect yourself until 2wire fixes the issue »2Wire Cross Site Request Forgery Vulnerability .

Here is a short summary:

First, change the IP scheme that the 2wire is using for your home network. Specifically, change the IP address of the 2wire router itself. This will prevent attacks against 192.168.1.254.

Next you have to prevent attacks against the domains "home" and "gateway.2wire.net". You can do this a couple of ways. You can modify your hosts file and point those domains to 127.0.0.1... or you can hardcode the dns settings into your computer so that your computer is not using the 2wire to resolve domain names.

Of course the bottom line is 2wire needs to plug this hole. When will that happen? Who knows.

no_fix_4U
@sbcglobal.net

no_fix_4U to evad123

Anon

to evad123

AT&T claims this is fixed???

So this story shows up on slashdot »tech.slashdot.org/tech/0 ··· 14.shtml
and AT&T responds by claiming they've already fixed this problem for most all their users. But my 1701HG has 4.25.19 and it's still easily hijacked. It seems some of the 5.xx firmwares are fixed, but that doesn't work on older homeportals.

This exploit still works on my box:
http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin
http://192.168.1.254/xslt?PAGE=A02_POST&PASSWORD=admin&THISPAGE=J38&NEXTPAGE=J38_SET&ADDR=127.0.0.1&NAME=ww.example.com
 

First URL sets my password without asking for confirmation. Second URL hijacks www.example.com to 127.0.0.1

So is AT&T just feeding us a line?

ctceo
Premium Member
join:2001-04-26
South Bend, IN

3 edits

ctceo

Premium Member

I'm running in the BETA pool 4.25.19 on a 1000HG

Exploit 1 brings up the "Page not Found" screen.
Exploit 2 brings up the "Enter the Password" Screen.

If your passwords were set to "admin", you'd definitely have a problem on your hands, and as for the first one if you have no password set, You might have an issue as this SETS your password to whatever the attacker wants. He's then free to run exploit #2 assuming that the host site used is ready for the embed.

I recommend that everyone who uses a vulnerable 2Wire SET A SYSTEM PASSWORD other than "admin". I use 5 letters & 5 Numbers caps & lowercase, no spaces or characters is ok.
sasparilla
join:2008-04-09
Round Lake, IL

sasparilla to no_fix_4U

Member

to no_fix_4U
said by no_fix_4U :

So is AT&T just feeding us a line?
It definately makes me wonder if this just wasn't spin control on AT&T's part. Suposedly, 2Wire's/AT&T's fixes have been out in the wild for my 2701 for several days, but checking for a firmware update shows no updates available.

The v5.29.109.5 software on my AT&T 2701 (that I got this last week) is fully exploitable (just verified that the exploits work on it). (Supposedly another user's v5.29.109.11 is the fixed version)

Seems like spin control to me, at this point.

no_fix_4U
@sbcglobal.net

no_fix_4U to ctceo

Anon

to ctceo
said by ctceo:

I'm running in the BETA pool 4.25.19 on a 1000HG

Exploit 1 brings up the "Page not Found" screen.
Exploit 2 brings up the "Enter the Password" Screen.

If your passwords were set to "admin", you'd definitely have a problem on your hands
So it sounds like there's a fixed beta 4.25.19 out there, or perhaps you have the UI hotfix that was mentioned. How did you get your beta version? My 4.25.19 is still vulnerable:

For me, the exploit works regardless of the password I have set. I've always had a strong password (8 characters, with numbers/punctuation), but the first exploit resets the password to "admin".

Apparently AT&T has not deployed the hotfix to me. Wish I could get updated - my 1701HG always tells me I have the latest version.

moewhitfield
@ameritech.net

moewhitfield to evad123

Anon

to evad123

Re: DNS Hijack on 2wire routers?

first exploit works on mine. second one I am not going to test. already have enough issues with this box lol. but I did change its internal ip.

System Summary
System
Model: HomePortal 1000HW
Serial Number:
MAC Address:
Hardware Version: 2700-000364-006
Hardware Options: Wireless present
DSL Modem Type: ADSL
Current Software: 3.7.5

ctceo
Premium Member
join:2001-04-26
South Bend, IN

ctceo to no_fix_4U

Premium Member

to no_fix_4U

Re: AT&T claims this is fixed???

I've been on several hundred BETA lists in the last 15 years, Games, Hardware, Software, MMO's, and I actually have to turn down some that I otherwise would love to participate in. As for the 2Wire, I was chosen based on a questionaire that I got when I subscribed for at&t DSL back in early 2000. Since then I've had the pleasure of being part of the test groups. For a couple models and about 2 or 3 firmwares, Including the latest 4.25.19 .

They've been hush hush about the vulnerability, so I'm sure based on that and my experience with other earlier problems that the hardware had, they're working on it. Due to that pretty pink sheet of paper that I have labeled Non-Disclosure Agreement blah blah, blah blah; in BOLD and UNDERLINE, I cannot comment any further.

Hunkydorey_in_OH to evad123

Anon

to evad123

Re: DNS Hijack on 2wire routers?

I have a friend of a friend that is working with at&T people who are getting this going. Through this extended grapevine, I have been told that they have to check every single device type out there that at&t has released before they can release the update.

I have one of there 2wire routers too and I have the same problem (but I already have the PW set and have changed the IP scheme) but have been reassured by my friend's friend that ding these small fixes temporarily will patch the holes util it's released. They didn't tell me when but I was told to hang in...

jonnyuser
@sbcglobal.net

jonnyuser

Anon

You think this is why my xbox live is failing the DNS test, started on friday. nothing has been changed it just wont connect due to failed DNS.

yes_fix_4u
@sbcglobal.net

yes_fix_4u to no_fix_4U

Anon

to no_fix_4U

Re: AT&T claims this is fixed???

It's a hotfix, not a firmware change. I have U-verse and they first pushed out a hotfix then they updated the firmware fixing some other things. look at your MDC page: »home/mdc at the bottom of the System Settings page and look for hotfix or uihotfix. My brother has normal adsl and he has the patch and I believe it says hotfix. Oh, he has a 2701(?) and the firmware didn't change, just a component was added.

»New Firmware for 3800 Series

wiedzmin
@telus.net

wiedzmin to evad123

Anon

to evad123

Re: DNS Hijack on 2wire routers?

You can change your default subnet range and point the default hostnames of the router into nowhere and unless the exploit will be specifically crafted for the IP you select, it will not work: »oleksiygayda.blogspot.co ··· rom.html

Only drawback - you will need to do the hostnames thing on every system that uses the 2WIRE (can't be done on a Wii so you may not want to browse from that), but until 2WIRE gets off its butt and does something, this is a good way to break the exploit links included in any sites.

no_fix_4me
@sbcglobal.net

no_fix_4me to yes_fix_4u

Anon

to yes_fix_4u

U-verse isn't the universe

Ok, I understand that on a 2Wire forum, some fanboys will come out in defense, but it's foolish to claim that everything's hunky-dory because a very small subset - U-verse and a select few others - have the hotfix.

Yes, I've checked the MDC. I don't have the hotfix, my mother doesn't have it, and the neighbors I've checked with don't have it. Therefore a reasonable conclusion is that a large number of AT&T users remain unpatched.

I'm happy for you U-verse customers who have the fix, but the reality is that U-verse is new and represents the minority of users.

jr9730
join:2000-11-22
Torrance, CA

jr9730

Member

What version gateway do you have? The fix has hit a majority of ATT users at this time?

no_fix_4me
@sbcglobal.net

no_fix_4me

Anon

See above - from me and others who haven't been updated.

jr9730
join:2000-11-22
Torrance, CA

jr9730

Member

All older gateways should be almost done now too I think - send me a message and dont be anon so we can commuicate with you..

CookieMonster to evad123

Anon

to evad123

Re: DNS Hijack on 2wire routers?

Wasn't 4.25.19 on 1701HG a Qwest release, not AT&T? I don't think an ISP can be expected to fix a gateway that was flashed with some other software they didn't provide or support. But did you try calling them?

PuddinHed
@sbcglobal.net

PuddinHed

Anon

Nope, 4.25.19 is definitely an AT&T release (well, SBC until AT&T bought it). The firmware contains SBC branding and is pre-populated with AT&T's keycode and activation experience.

Call them, are you kidding? They just tell me to install their online anti-virus suite.

CookieMonster

Anon

Can't go by version alone for 2Wires. They have all sorts of weird customizations. 4.25.19 on an AT&T 1700 is not the same as 4.25.19 on an AT&T 2700, which is not the same as 4.25.19 on a Telus 2700. Different firmware may work, but I imagine there'd be quirky problems without the model/provider specific customizations. Some quick Google searches show AT&T's releases for the 1701HG were 3.17.5 or 4.25.35 and that 4.25.19 appears only to be a 2700 release for AT&T (but with lots of people saying they could flash other models with it). That might be the problem right there. AT&T's system is trying to send your gateway the 2700 fix and the gateway isn't taking it.

no_fix_4u, try flashing to the AT&T 1701HG 4.25.35 firmware, reregister with an AT&T keycode, and see if you can get the fix then?

jr9730
join:2000-11-22
Torrance, CA

jr9730 to CookieMonster

Member

to CookieMonster
4.25.19 is one of the supported releases in ATT as well as other ISP's. As long as the gateway is in the ATT umbrella via the keycode them ATT fixes will include that gateway. Now other ISPs are doinfg fixes on their own so if it is still a Qwest keycode then it will fall into the Qwest coverage.
jr9730

jr9730 to evad123

Member

to evad123
4.25.35 was not a formally approved release for ATT but allowed for Homezone releases. They have a full Approval For Use method of testing and approving hardware and software and basic core software can be used for various hardware platforms and ISP environments, its the config that usually sets the difference ( even though there can be specific releases that do address a certain ISP requirement built off the core version)