cross-site scripting vulnerability in 2Wire routers

[Gary]

Not sure if this has been posted (have been ill) but there is a report of a cross cripting issue with some 2wire routers Secunia lists it as well, having a password set does not now mitigate the issue, since so many people use the 2Wire I thought I would post about this. More information can be found here

[Rik]

Interesting, thanks, Gary.

I'll move this to the 2700 board.

[Gary]

Sorry I should have posted it there, still not feeling great

[Rik]

Sorry to hear that.

[Gary]

Been hit by a bug Rik and not holding my Morphine down so its been bad in many ways

[Simon]

There's a lot of it about, Gary.  My lad has had something all week that started in his bowels, worked it's way to his throat, and now it's turned into a stinking cold. 

Meanwhile, I just picked up this snippet from the link:

Vulnerable Routers: 1701HG, 2071 Gateway
Software: v3.17.5, 5.29.51 Password Not Set (default)

Can it be safely assumed, therefore, that setting a password, as most sensible people would do anyway, cures the vulnerability?

[Gary]

Sorry to here that Simon hope he feels better soon, the info on the Symantec site now says that setting a password may not actually help

  "In its original incarnation the drive-by pharming attack required the attacker to correctly guess the administrative password on the victim’s router. Since most people never change this password or, for that matter, even know of its existence, this measure poses little or no impediment for the attacker. So, simply changing the default password to one that is difficult to guess would have sufficed in protecting you. In the case of these routers that’s not true. It turns out that on this particular router the attacker does not even need to try guessing the password!" On Secunia it also says other 2wire routers may be vulnerable sadly

The symantec blog is here

[Simon]

Not good news. 

[Rik]

No. It's definitely time to pack up our broadband connections and go back to using carrier pigeons.

The serious issue with this, of course, is that the 2700 has no official support channel.

[Gary]

Sending carrier pigeons as we speak Rik, think the cats will get them though  The 2700 issue is a problem, maybe a patch will come out for it via 2wire themselves to install, untill then for safety I have gone back to my DG834G maybe a little overly paranoid but I have turned off upnp and am using that till I see what happens next I can sacrifice a little speed for my safety for the time being, but saying that the vulnerability first came to light last August it seems so maybe now they will patch it as its in the wild, companies just don't like patching these days and seem to hope issues will go away.

[Sebby]

Thanks for the information, Gary.

Am I missing something, or does this not actually apply to the 2700?

[Gary]

The information suppied by secunia states Sebby this "The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected" so it is possible the 2700 is included, see Secunia link  here

[Ted]

Hi Gary
Hope you're feeling better mate 

Secunia say it may affect other 2wires but do offer a solution.

[Gary]

Yes but Now if you read above Symantec seem to be saying using a password is not sufficient Ted there seems to be a drive by or link that can do it from what I understand, the problem was the issue was posted last year and since then its been honed somewhat, people were getting their router hacked and then were being redirected to a false banking site in Mexico recently.

[Rik]

So if I find myself on a Mexican banking site, I should really worry.

[Gary]

  the point is that the exploit is now in the wild Rik and can be used by anyone, not just in Mexico you can be redirected to anysite that could possibly steal information or have a payload of nasties to download to your pc sadly, its a bit like the upnp exploit but easier if you know how, so avoid buying buritos

[Ted]

With any luck they'll get into my account, take pity on me and leave a few quid.

[Rik]

 

Si!

[Gary]

Si!

ZDnet UK also said avoid buying Enchiladas as well Rik but seriously just be careful as the exploit will be used by anyone against a 2Wire if they can manage it I imagine now, its an easy way to get your valuables senior

[Gary]

With any luck they'll get into my account, take pity on me and leave a few quid.

The Robin Hood of the cyber world hey....if only

[Rik]

its an easy way to get your valuables senior

I protect them with a sporran.

[Allitnil]

I just got a 2700 yesterday, maybe I should have waited.... 

Anyway, I can confirm that the sample exploits given at http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded do work with the 2700. Or at least they do with mine (dual SSID, 5.29.107.19 firmware).

I can't speak for any other exploits but with these:
- if you have no system password set then you are vulnerable
- if you have a system password set then you are still vulnerable if you are currently logged into the router
- if you have a system password set and are not currently logged into the router then you are safe in as much that it asks for the system password (I don't know if this can be got around or not)

My advice would be:
- close down your browser after making any changes to the router. This seems to flush the session and logs you out
- if you are paranoid then check your DNS settings to make sure they haven't been compromised before doing online banking or similar. Only trouble is that it looks like you have to log into the router to check these. And if you are really paranoid then you won't want to do that 

Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

[Gary]

Thanks for the info on that, have a Karma  and welcome I believe an email was doing the rounds with the code in it to change the above settings as well Allitnil

[Gary]

I protect them with a sporran.

So thats what they are for

[Rik]

Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

Nice post, thanks - I'm safe, it seems. 

[Rik]

So thats what they are for

That and keeping your oats in. 

[Gary]

That and keeping your oats in. 

to much info Rik My router would have been vulnerable as it was the same version as Allitnil's, think i'll stay with my old DG till I see a patch maybe

[Ted]

Nice post, thanks - I'm safe, it seems. 

Seems i'm ok too. Upgraded my password just in case

[Sebby]

The information suppied by secunia states Sebby this "The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected" so it is possible the 2700 is included, see Secunia link  here

Thanks, Gary.

Mine seems okay, and I'm not too concerned about it at the moment.

[Ted]

I see that my settings are to obtain DNS settings automatically.
Would it be best to set them manually in order to see any changes that have occurred?
I believe they are.
212.69.36.3  Primary
212.69.40.3  Secondary

Yes?

[Sebby]

I don't think it would make much difference. If you logged in and they'd changed manually, you'd know something's changed.

[Rik]

Those are they, Ted.

[Ted]

Thanks Rik. Sebby i think i'll leave it at auto, then if its changed to manual i'll know for certain it's not me

[EvilPC]

Probably a silly question..

http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

But surely that would only work on the LAN side of the router..

If you changed that to your external WAN IP Address and have remote management turned off then this won't work ??

Also if you had "http forwarding" turned on in the firewall. then this request would be passed to you local web server so won't cause any issue ? May be quick fix would be to forward "port 80" to an invalid IP Address..

If I'm talking rubbish please feel free to say 

[EvilPC]

I'm answering my own post..

I suppose a script to try to run that locally.. then they would get in..

[jupiter]

Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

[Adam]

I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

While I haven't been keeping up with this thread I believe the vulnerability requires you to already be logged into the router, or have no password set. An example would be a site linking to that URL as you were logged into the router, or using an existing session with the router. AFAIK, if you aren't logged in to the router and close your browser/clear sessions after being logged into the router, you should be safe.

[Sebby]

Indeed, Adam; that's the way I see it. It may be a vulnerability but I don't think it's much of an issue for most of us.

[Gary]

You don't have to be logged in Adam if you have a vulnerable router the password will not protect you from reports out, using javascript malware the router can be got at from inside your network and can access the router without the page being open now, I'm sure BT will kick out a patch for their dual ssid firmware 5 routers as its not good business for them to provide equipment that is vulnerable