cross-site scripting vulnerability in 2Wire routers

Started by Gary, Jan 26, 2008, 08:23:26

Previous topic - Next topic

0 Members and 4 Guests are viewing this topic.

Gary

Not sure if this has been posted (have been ill) but there is a report of a cross cripting issue with some 2wire routers Secunia lists it as well, having a password set does not now mitigate the issue, since so many people use the 2Wire I thought I would post about this. More information can be found here
Damned, if you do damned if you don't

Rik

Interesting, thanks, Gary. :)

I'll move this to the 2700 board.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Sorry I should have posted it there, still not feeling great :(
Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Been hit by a bug Rik and not holding my Morphine down so its been bad in many ways :(
Damned, if you do damned if you don't

Simon

There's a lot of it about, Gary.  My lad has had something all week that started in his bowels, worked it's way to his throat, and now it's turned into a stinking cold.  :(

Meanwhile, I just picked up this snippet from the link:

QuoteVulnerable Routers: 1701HG, 2071 Gateway
Software: v3.17.5, 5.29.51 Password Not Set (default)

Can it be safely assumed, therefore, that setting a password, as most sensible people would do anyway, cures the vulnerability?
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Sorry to here that Simon hope he feels better soon, the info on the Symantec site now says that setting a password may not actually help

  "In its original incarnation the drive-by pharming attack required the attacker to correctly guess the administrative password on the victim’s router. Since most people never change this password or, for that matter, even know of its existence, this measure poses little or no impediment for the attacker. So, simply changing the default password to one that is difficult to guess would have sufficed in protecting you. In the case of these routers that’s not true. It turns out that on this particular router the attacker does not even need to try guessing the password!" On Secunia it also says other 2wire routers may be vulnerable sadly

The symantec blog is here
Damned, if you do damned if you don't

Simon

Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

No. It's definitely time to pack up our broadband connections and go back to using carrier pigeons. ;)

The serious issue with this, of course, is that the 2700 has no official support channel.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Sending carrier pigeons as we speak Rik, think the cats will get them though  ;D The 2700 issue is a problem, maybe a patch will come out for it via 2wire themselves to install, untill then for safety I have gone back to my DG834G maybe a little overly paranoid but I have turned off upnp and am using that till I see what happens next :( I can sacrifice a little speed for my safety for the time being, but saying that the vulnerability first came to light last August it seems so maybe now they will patch it as its in the wild, companies just don't like patching these days and seem to hope issues will go away.
Damned, if you do damned if you don't

Sebby

Thanks for the information, Gary.

Am I missing something, or does this not actually apply to the 2700?

Gary

The information suppied by secunia states Sebby this "The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected" so it is possible the 2700 is included, see Secunia link  here
Damned, if you do damned if you don't

Ted

Hi Gary
Hope you're feeling better mate  :pat:

Secunia say it may affect other 2wires but do offer a solution.
Ted
There's no place like 127.0.0.1

Gary

#13
Yes but Now if you read above Symantec seem to be saying using a password is not sufficient Ted :-\ there seems to be a drive by or link that can do it from what I understand, the problem was the issue was posted last year and since then its been honed somewhat, people were getting their router hacked and then were being redirected to a false banking site in Mexico recently.
Damned, if you do damned if you don't

Rik

So if I find myself on a Mexican banking site, I should really worry. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

#15
 :laugh: the point is that the exploit is now in the wild Rik and can be used by anyone, not just in Mexico you can be redirected to anysite that could possibly steal information or have a payload of nasties to download to your pc sadly, its a bit like the upnp exploit but easier if you know how, so avoid buying buritos
Damned, if you do damned if you don't

Ted

With any luck they'll get into my account, take pity on me and leave a few quid. :hehe:
Ted
There's no place like 127.0.0.1

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Rik on Jan 26, 2008, 13:37:26
;D

Si!
ZDnet UK also said avoid buying Enchiladas as well Rik :D but seriously just be careful as the exploit will be used by anyone against a 2Wire if they can manage it I imagine now, its an easy way to get your valuables senior >:D
Damned, if you do damned if you don't

Gary

Quote from: xild on Jan 26, 2008, 13:37:03
With any luck they'll get into my account, take pity on me and leave a few quid. :hehe:
The Robin Hood of the cyber world hey....if only ::)
Damned, if you do damned if you don't

Rik

Quote from: Killhippie on Jan 26, 2008, 13:42:11
its an easy way to get your valuables senior >:D

I protect them with a sporran. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Allitnil

I just got a 2700 yesterday, maybe I should have waited....  :-\

Anyway, I can confirm that the sample exploits given at http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded do work with the 2700. Or at least they do with mine (dual SSID, 5.29.107.19 firmware).

I can't speak for any other exploits but with these:
- if you have no system password set then you are vulnerable
- if you have a system password set then you are still vulnerable if you are currently logged into the router
- if you have a system password set and are not currently logged into the router then you are safe in as much that it asks for the system password (I don't know if this can be got around or not)

My advice would be:
- close down your browser after making any changes to the router. This seems to flush the session and logs you out
- if you are paranoid then check your DNS settings to make sure they haven't been compromised before doing online banking or similar. Only trouble is that it looks like you have to log into the router to check these. And if you are really paranoid then you won't want to do that  ;)

Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1


Gary

#22
Thanks for the info on that, have a Karma  ;D and welcome I believe an email was doing the rounds with the code in it to change the above settings as well Allitnil
Damned, if you do damned if you don't

Gary

Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.