no_fix_4U
@sbcglobal.net
| reply to evad123
AT&T claims this is fixed???
So this story shows up on slashdot »tech.slashdot.org/tech/08/04/08/···14.shtml
and AT&T responds by claiming they've already fixed this problem for most all their users. But my 1701HG has 4.25.19 and it's still easily hijacked. It seems some of the 5.xx firmwares are fixed, but that doesn't work on older homeportals.
This exploit still works on my box:
First URL sets my password without asking for confirmation. Second URL hijacks www.example.com to 127.0.0.1
So is AT&T just feeding us a line? |
|
ctceo
Premium
join:2001-04-26
South Bend, IN
clubs:
 ·magicjack.com
 ·AT&T U-Verse
 ·Comcast
 ·AT&T Midwest
 ·HughesNet Satellit..
3 edits | I'm running in the BETA pool 4.25.19 on a 1000HG
Exploit 1 brings up the "Page not Found" screen.
Exploit 2 brings up the "Enter the Password" Screen.
If your passwords were set to "admin", you'd definitely have a problem on your hands, and as for the first one if you have no password set, You might have an issue as this SETS your password to whatever the attacker wants. He's then free to run exploit #2 assuming that the host site used is ready for the embed.
I recommend that everyone who uses a vulnerable 2Wire SET A SYSTEM PASSWORD other than "admin". I use 5 letters & 5 Numbers caps & lowercase, no spaces or characters is ok. |
|
sasparilla
join:2008-04-09
Round Lake, IL
| reply to no_fix_4U
said by no_fix_4U :
So is AT&T just feeding us a line?
It definately makes me wonder if this just wasn't spin control on AT&T's part. Suposedly, 2Wire's/AT&T's fixes have been out in the wild for my 2701 for several days, but checking for a firmware update shows no updates available.
The v5.29.109.5 software on my AT&T 2701 (that I got this last week) is fully exploitable (just verified that the exploits work on it). (Supposedly another user's v5.29.109.11 is the fixed version)
Seems like spin control to me, at this point. |
|
no_fix_4U
@sbcglobal.net
| reply to ctceo
said by ctceo  :I'm running in the BETA pool 4.25.19 on a 1000HG Exploit 1 brings up the "Page not Found" screen. Exploit 2 brings up the "Enter the Password" Screen. If your passwords were set to "admin", you'd definitely have a problem on your hands So it sounds like there's a fixed beta 4.25.19 out there, or perhaps you have the UI hotfix that was mentioned. How did you get your beta version? My 4.25.19 is still vulnerable:
For me, the exploit works regardless of the password I have set. I've always had a strong password (8 characters, with numbers/punctuation), but the first exploit resets the password to "admin".
Apparently AT&T has not deployed the hotfix to me. Wish I could get updated - my 1701HG always tells me I have the latest version. |
|
ctceo
Premium
join:2001-04-26
South Bend, IN
clubs:
·magicjack.com
·AT&T U-Verse
·Comcast
·AT&T Midwest
·HughesNet Satellit..
| I've been on several hundred BETA lists in the last 15 years, Games, Hardware, Software, MMO's, and I actually have to turn down some that I otherwise would love to participate in. As for the 2Wire, I was chosen based on a questionaire that I got when I subscribed for at&t DSL back in early 2000. Since then I've had the pleasure of being part of the test groups. For a couple models and about 2 or 3 firmwares, Including the latest 4.25.19 .
They've been hush hush about the vulnerability, so I'm sure based on that and my experience with other earlier problems that the hardware had, they're working on it. Due to that pretty pink sheet of paper that I have labeled Non-Disclosure Agreement blah blah, blah blah; in BOLD and UNDERLINE, I cannot comment any further. |
|
yes_fix_4u
@sbcglobal.net
| reply to no_fix_4U
It's a hotfix, not a firmware change. I have U-verse and they first pushed out a hotfix then they updated the firmware fixing some other things. look at your MDC page: »home/mdc at the bottom of the System Settings page and look for hotfix or uihotfix. My brother has normal adsl and he has the patch and I believe it says hotfix. Oh, he has a 2701(?) and the firmware didn't change, just a component was added.
»New Firmware for 3800 Series |
|
no_fix_4me
@sbcglobal.net
| U-verse isn't the universe
Ok, I understand that on a 2Wire forum, some fanboys will come out in defense, but it's foolish to claim that everything's hunky-dory because a very small subset - U-verse and a select few others - have the hotfix.
Yes, I've checked the MDC. I don't have the hotfix, my mother doesn't have it, and the neighbors I've checked with don't have it. Therefore a reasonable conclusion is that a large number of AT&T users remain unpatched.
I'm happy for you U-verse customers who have the fix, but the reality is that U-verse is new and represents the minority of users. |
|
jr9730
join:2000-11-22
Torrance, CA | What version gateway do you have? The fix has hit a majority of ATT users at this time? |
|
no_fix_4me
@sbcglobal.net | See above - from me and others who haven't been updated. |
|
jr9730
join:2000-11-22
Torrance, CA | All older gateways should be almost done now too I think - send me a message and dont be anon so we can commuicate with you.. |
|
