dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
67

ctceo
Premium Member
join:2001-04-26
South Bend, IN

3 edits

ctceo to no_fix_4U

Premium Member

to no_fix_4U

Re: AT&T claims this is fixed???

I'm running in the BETA pool 4.25.19 on a 1000HG

Exploit 1 brings up the "Page not Found" screen.
Exploit 2 brings up the "Enter the Password" Screen.

If your passwords were set to "admin", you'd definitely have a problem on your hands, and as for the first one if you have no password set, You might have an issue as this SETS your password to whatever the attacker wants. He's then free to run exploit #2 assuming that the host site used is ready for the embed.

I recommend that everyone who uses a vulnerable 2Wire SET A SYSTEM PASSWORD other than "admin". I use 5 letters & 5 Numbers caps & lowercase, no spaces or characters is ok.

no_fix_4U
@sbcglobal.net

no_fix_4U

Anon

said by ctceo:

I'm running in the BETA pool 4.25.19 on a 1000HG

Exploit 1 brings up the "Page not Found" screen.
Exploit 2 brings up the "Enter the Password" Screen.

If your passwords were set to "admin", you'd definitely have a problem on your hands
So it sounds like there's a fixed beta 4.25.19 out there, or perhaps you have the UI hotfix that was mentioned. How did you get your beta version? My 4.25.19 is still vulnerable:

For me, the exploit works regardless of the password I have set. I've always had a strong password (8 characters, with numbers/punctuation), but the first exploit resets the password to "admin".

Apparently AT&T has not deployed the hotfix to me. Wish I could get updated - my 1701HG always tells me I have the latest version.

ctceo
Premium Member
join:2001-04-26
South Bend, IN

ctceo

Premium Member

I've been on several hundred BETA lists in the last 15 years, Games, Hardware, Software, MMO's, and I actually have to turn down some that I otherwise would love to participate in. As for the 2Wire, I was chosen based on a questionaire that I got when I subscribed for at&t DSL back in early 2000. Since then I've had the pleasure of being part of the test groups. For a couple models and about 2 or 3 firmwares, Including the latest 4.25.19 .

They've been hush hush about the vulnerability, so I'm sure based on that and my experience with other earlier problems that the hardware had, they're working on it. Due to that pretty pink sheet of paper that I have labeled Non-Disclosure Agreement blah blah, blah blah; in BOLD and UNDERLINE, I cannot comment any further.

yes_fix_4u
@sbcglobal.net

yes_fix_4u to no_fix_4U

Anon

to no_fix_4U
It's a hotfix, not a firmware change. I have U-verse and they first pushed out a hotfix then they updated the firmware fixing some other things. look at your MDC page: »home/mdc at the bottom of the System Settings page and look for hotfix or uihotfix. My brother has normal adsl and he has the patch and I believe it says hotfix. Oh, he has a 2701(?) and the firmware didn't change, just a component was added.

»New Firmware for 3800 Series

no_fix_4me
@sbcglobal.net

no_fix_4me

Anon

U-verse isn't the universe

Ok, I understand that on a 2Wire forum, some fanboys will come out in defense, but it's foolish to claim that everything's hunky-dory because a very small subset - U-verse and a select few others - have the hotfix.

Yes, I've checked the MDC. I don't have the hotfix, my mother doesn't have it, and the neighbors I've checked with don't have it. Therefore a reasonable conclusion is that a large number of AT&T users remain unpatched.

I'm happy for you U-verse customers who have the fix, but the reality is that U-verse is new and represents the minority of users.

jr9730
join:2000-11-22
Torrance, CA

jr9730

Member

What version gateway do you have? The fix has hit a majority of ATT users at this time?

no_fix_4me
@sbcglobal.net

no_fix_4me

Anon

See above - from me and others who haven't been updated.

jr9730
join:2000-11-22
Torrance, CA

jr9730

Member

All older gateways should be almost done now too I think - send me a message and dont be anon so we can commuicate with you..