[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY
- From: tan@xxxxxxxxxxxx
- Date: Mon, 31 Oct 2011 16:15:46 GMT
CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER
MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY
1. BACKGROUND AND AFFECTED MODELS/FIRMWARE
SingTel provides customized versions of 2Wire gateway routers to its Internet
service subscribers for the purpose of accessing the web.
Customized firmware at major version 5 (or below) contains a Management and
Diagnostic Console (MDC) at http://192.168.1.254/mdc (when accessing from a
device connected to the router) for SingTel engineers to perform setup and
debugging procedures.
While the vulnerability is known to be patched in major version 6 (and above)
of the firmware, it is likely that a high number of SingTel Internet service
customers are still on the outdated firmware as there is no firmware upgrade
procedure available to these subscribers.
2. VULNERABILITY
The MDC has its default password set as ?2wire?. As opposed to the user panel
at http://192.168.1.254, this password cannot be changed.
Although the site is only accessible through devices on the local subnet of the
router, when combined with the lack of Cross-Site Request Forgery (CSRF)
protection, the vulnerability allows attackers to alter the router?s settings
for malicious purposes.
3. EXPLOIT
The exploit can be delivered through a HTML page served to the victim. Then,
the maliciously crafted page can instruct the victim?s browser to send a POST
request, meant to execute changes in the MDC, via XMLHttpRequest or a populated
and automatically submitted form in JavaScript.
For instance, in the proof-of-concept, which reboots the router when served to
a client connected to a vulnerable router, a form is POST to
http://192.168.1.254/xslt with the following parameters:
PAGE = S01_POST,
view = XML,
THISPAGE = J21,
NEXTPAGE = J21_REBOOT,
PASSWORD = 2wire
4. IMPACTS AND ADVISORY
A successful attack is unlikely to be noticed by the end-user with the lack of
warning that comes with a CSRF attack, especially when performed through
XMLHttpRequest. A likely exploitation would involve the alteration of the
victim router?s Domain Name System (DNS) records, enabling a Man-in-the-Middle
(MITM) attack vector. This allows for severe Advanced Persistent Threats (APT)
to the victim.
Hence, it is advised for SingTel and 2Wire to push the updated firmware to its
subscribers as soon as possible.
While the issue is pending resolution, SingTel Internet service customers with
firmware major version 5 (and below) are advised to:
- Avoid visiting any website that is not previously trusted, especially
web search results and links on social networking sites
- Pay increased attention to any anomalies in Internet service, such as
substantial increase in page-load durations
5. DISCLOSURE AND NOTES
Attempt has been made to contact SingTel about the vulnerability through
SingCERT on 14 September 2011. While confirmation of vulnerability has been
received, no plan to fix the vulnerability has been made known before the 31
October 2011 deadline specified.
TAN SZE CHUEN
Security Researcher
tan@xxxxxxxxxxxx (PGP key available)
Updates and Proof-of-Concept at http://blog.szechuen.com/cve-2011-3682