[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 2Wire Broadband Router Session Hijacking Vulnerability

On Mon, 9 Aug 2010 23:12:29 +0800
YGN Ethical Hacker Group <lists@xxxxxxxx> wrote:

> ==============================================================================
> 2Wire Broadband Router Session Hijacking Vulnerability
> ==============================================================================
> 
> 
> 1. OVERVIEW
> 
> The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
> which attackers can compromise the router administrator session.
> 
> 
> 2. PRODUCT DESCRIPTION
> 
> 2Wire routers, product of 2Wire, are widely-used Broadband routers in
> SOHO environment.
> They are distributed through most famous ISPs (see -
> http://2wire.com/?p=383) with ready-to-use pre-configured settings.
> Their Wireless SSIDs are well-known as "2WIRE" prefix.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The web-based management interface of 2Wire Broadband router does not
> generate truely unique random session IDs for a logged-in
> administrator user.
> This allows attackers to brute-force guess a valid session ID to
> compromise the administrator session.
> For more information about this kind of weekness,
> refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
> Insufficient Entropy.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested against:
> Model: 2700HGV-2 Gateway
> Hardware Version: 2700-100657-005
> Software Version: 5.29.117.3
> 
> Other versions might be affected as well.
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
> 
> 
> 6. IMPACT
> 
> Attackers can compromise 2wire administrator session through automated
> tools and modify any settings they want.
> 
> 
> 7. SOLUTION
> 
> There is no upgrade/patch currently available. 2wire support could not
> estimate when the upgrade is available.
> Also, 2wire users must be aware of other unfixed vulnerabilities
> stated in references section.
> 
> 
> 8. VENDOR
> 
> 2Wire Inc
> http://www.2wire.com
> About 2Wire - http://www.2wire.com/index.php?p=486
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 07-25-2010: vulnerability discovered
> 07-29-2010: notified vendor
> 08-02-2010: vendor responded/verified
> 08-09-2010: vendor did not respond when fix/upgrade would be available
> 08-09-2010: vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
> Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
> Related WebGoat Lesson:
> http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
> http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html
> http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800
> 
> 
> #yehg [08-09-2010]
> 
> 
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd

Does this issue have CVE-identifier assigned?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/