Oligarchy
join:2008-02-12
San Diego, CA
1 edit | 2Wire Cross Site Request Forgery Vulnerability
This is cross-posted in the Security, but I wanted to ensure it was seen here.
This vulnerability allows any attacker to modify configuration of the 2Wire router (all models tested against have worked, 1000SW, 1701, 1801, 2700, 2701, 3700, 3800) and all software versions but 3.5.X.X.
»www.securityfocus.com/bid/27516/
The exploit tab isn't completely correct, because the URL shown has an invalid domain. Correct domains that work and the the most common are: gateway.2wire.net, home, and 192.168.1.254. Of course, you can change the IP to any RFC 1918 address, but I wouldn't expect too many users to have done that. Regardless, unless they change the DNS mapping of HOME and gateway.2wire.net, then they are vulnerable to a non-directed attack. The main point of the URL is to show that any attacker could change the password, and authenticate, with one command. The page that is vulnerable is the H04_POST page that is run through the xslt parser. It doesn't validate authentication before setting the password. A very simple check of requiring the old password would have worked great here.
How does this make you vulnerable?
The simplest method (and the currently seen method) is to include the URI in a IMG tag set to height 1 and width 1
The possibilities are endless with this. It could be put into a picture and posted in a thread here, on MySpace, Facebook, etc., or it could be put into an email targeted at specific ISPs that use 2Wire (BT, AT&T, Telmex, Qwest, or any other 2Wire customer I am not aware of)
»www.securityfocus.com/bid/27246
These may look the same, but there are differences. The core of the attack is the password change. You can't make any of the changes following (I.E., adding DNS entries) unless you have authenticated. The authentication attack in this is only valid for a certain period of time and you have to be lured while still using the same browser that authenticated. The other URIs are good examples of what's being used currently to include pharming attacks.
How to protect against it?
The attacks that have been see attempt three domains:
»gateway.2wire.net/
»home/
»192.168.1.254
The simplest way is to create a host file and map 127.0.0.1 to home and 2wire.gateway.net.
Windows example: »www.mvps.org/winhelp2002/hosts.htm
If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X)
This protects against the base of the attack, you can protect against some of the pharming attacks by not using your RG as the DNS resolver. Just view the addresses that the RG uses to resolve, and plug those into your IP settings. Ensure you clear your DNS cache using ipconfig /flushdns, if you're using windows |
|
ydrol
join:2007-06-28
4 edits | On the bright side, would this be a way for people to access the MDC page, where the MDC password is super secret?
Update: I just tried this on by 2700HGV with BT 5.29.107.19 firmware , and it said an unknown error has occurred. But I might not be doing it right. I just went straight to the H04_POST and it asked me to choose a password and hint. I pressed next and got an unknown error has occurred then it took me back to the page.
Update: My mistake. The password was changed!! The Irony is the BT firmware runs without a password anyway so it was always open to abuse.
This is a good thing for all those locked mdc password 
but a bad thing really |
|
scsa20
join:2007-12-04
Phoenix, AZ | reply to Oligarchy
Tested the password thing on my 1000HG running SBC firmware 4.25.19. It caused it to restart it but still changed the password. |
|
plk
bo may sleep in loft
Premium
join:2002-04-20
Ogden, IA
1 edit | reply to Oligarchy
Well, it reset my password, and the instructions on 2wire's web site do not work to restore it. Any suggestions?
2700HG-D Gateway
• Software: 4.25.19-QT01
»support.2wire.com/cgi-bin/twowir···opview=1
--
Thermaltake 2000a/Asus P4C-e/p4 3.4/ocz3500 2x512/WD.2x200g/raptor2x74 raid 0/ATI 9600/APC sua 1500/Logitech z-680/ Samsung 213t LCD/MX 1000 |
|
scsa20
join:2007-12-04
Phoenix, AZ
| Does it ask you for the 10 digit system key (which is the wireless WEP encryption code) or is it giving you a 20 digit number? If it's giving you a 20 digit number you'll have to call them.
What you can do, though, is if you go to that site and run the link with a password you do want to use, it should work again. If you don't want to do that, then the other way is by pressing and holding the reset button for 30 seconds to factory reset the modem. |
|
Wake2
join:2005-04-30 | reply to plk
plk try admin as the password. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
 ·Bresnan Online
| reply to Oligarchy
I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.
Great tips on how to secure yourself though, but still, the general population isn't going to want to or really know how to do that. |
|
Oligarchy
join:2008-02-12
San Diego, CA
| said by "kookid1563" :
I have done this on my 2wire 3800HGV-B with firmware version 5.29.105.76 and it works. There is more that can be done than just changing the password and maybe adding a DNS redirect in the resolve page. I have been able to figure out the URL commands using the POST and SET pages to control almost every setting of the RG.
agreed. you can change the wireless settings (SSID, change to WEP OR WPA or unsecured, or jsut change the passphrase for each) , change firewall settings, disable interfaces, reboot, etc. There's many hidden pages that you can't find through the interface if you just go up sequentially through the A, H, J, etcetera pages. |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
| reply to Oligarchy
I just thought that I would update this. AT&T has released a new firmware upgrade for the 3800 series 2wire RG that their U-verse service uses. It requires that a password always be set, and that the current password be known/entered to change it. They have also completely removed the DNS resolve page from the MDC. They released a UI hotfix not too long ago that made the H04 page unable to change the password, but this new firmware upgrade has deleted the UI hotfix as it has not only fixed what I mentioned above, but it has also removed the H04 password change page completely. |
|
jandar
join:2006-01-16
Middleburg, FL | reply to Oligarchy
2Wire 2701HG-B
Software: 5.29.109.11
With a system password set, none of those exploits work. It always prompts me to enter my current pass.
Simple enough fix. |
|
sasparilla
join:2008-04-09
Round Lake, IL
| said by jandar  :2Wire 2701HG-B Software: 5.29.109.11 With a system password set, none of those exploits work. It always prompts me to enter my current pass. Simple enough fix. This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far.
If I go to "View Available System Upgrades" on my AT&T/2Wire 2701HG-B, which has never been updated since it came from AT&T, it shows none available....Software version is 5.29.109.5. :-(
So, while a fix is supposedly out there, its apparantly not out there for everyone yet.  |
|
left_out
@sbcglobal.net
| said by sasparilla :This sounds nice but 2Wire/AT&T must be rolling it out slowly - its apparantly only available to some people so far. AT&T claims they've already rolled it out to the majority of its customers. »tech.slashdot.org/tech/08/04/08/···14.shtml
None of this helps us poor HomePortal 1xxx users, since we can't use 5.xx firmwares. No update for us, it seems. My 1701HG remains very hackable. »AT&T claims this is fixed??? |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
1 edit | reply to sasparilla
Note that the fix may not be in the form of a firmware upgrade. AT&T first fixed this issue on the 3800 series with a UI Hotfix that got applied. The firmware upgrade included the hotfix in it's code so the hotfix was no longer needed.
It might take awhile, but at least they are trying. |
|
sasparilla
join:2008-04-09
Round Lake, IL
1 edit | reply to jandar
said by jandar :2Wire 2701HG-B Software: 5.29.109.11 With a system password set, none of those exploits work. It always prompts me to enter my current pass. Hey Jandar, as an interested owner of another 2701GH-B that is susceptible to the exploits (got the 2701 from AT&T this week, v5.29.109.5), how did you get the updated firware?
As my 2701 is telling me no updates available when checking for firmware updates. And AT&T support site and 2Wire website do not have updates listed either.
Scott |
|
trainerman
join:2005-06-30
Columbia, MO
| reply to Oligarchy
Windows Xp
2700HGB Firmware 4.19.25
As a non-expert here, would running Open DNS make a difference in any of this? If not, could somone please explain to me and the lay people how to map home and gateway.2wire.net/ sites to the host file and to change the 192.168.1.254 to something else?
It would be greatly appreciated.
Thanks for your time! |
|
bjparker
join:2004-09-13
England
| reply to Oligarchy
said by Oligarchy :...If you have the default IP of 192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X) I don't think this works: there seems to be a numerical address that could be used that always points to the router.
I'm no expert, but I got curious about an address an application was using and found it points to the 2-wire 2700 I have despite taking all the measures above.
Maybe I'm too cautious, but I don't think I'll post the number in public.
If this carries on unfixed I'm going to ditch this router. |
|
bjparker
join:2004-09-13
England
| [BQUOTE=bjparkerI don't think this works: there seems to be a numerical address that could be used that always points to the router.
[/BQUOTE
Update: phew, I can't use this numerical address for http even though ping works.
A little knowledge is certainly a dangerous thing! |
|
koolkid1563
Premium,MVM
join:2005-11-06
Powell, WY
clubs:
·Bresnan Online
1 edit | Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): »192.168.1.254/xslt?PAGE=C06
Just out of curiosity, which program is it that you were referring to? |
|
bjparker
join:2004-09-13
England
| said by koolkid1563 :Be sure that you are changing the actual address of the 2wire and not just trying to go to it. On mine, that is on this page (using the default IP anyways): » 192.168.1.254/xslt?PAGE=C06Just out of curiosity, which program is it that you were referring to? Yes, I have changed it and checked with ipconfig.
No, I'm not going to post the number in public, or even in private unless someone proves to me thay are a network security professional. Sorry!
I still don't fully understand the implications of what I've discovered. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
| Are you sure that the mystery application is not simply using the hostname gateway.2wire.net instead of a hard coded IP address? If you are using the 2wire router for DNS resolution, that hostname will always resolve to the current IP address for the router.
Of course since you refuse to provide any details, any answer will simply be a wild guess.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
