On Mon, 9 Aug 2010 23:12:29 +0800 YGN Ethical Hacker Group <[email protected]> wrote:
> ============================================================================== > 2Wire Broadband Router Session Hijacking Vulnerability > ============================================================================== > > > 1. OVERVIEW > > The 2Wire Broadband Router is vulnerable to Session Hijacking flaw > which attackers can compromise the router administrator session. > > > 2. PRODUCT DESCRIPTION > > 2Wire routers, product of 2Wire, are widely-used Broadband routers in > SOHO environment. > They are distributed through most famous ISPs (see - > http://2wire.com/?p=383) with ready-to-use pre-configured settings. > Their Wireless SSIDs are well-known as "2WIRE" prefix. > > > 3. VULNERABILITY DESCRIPTION > > The web-based management interface of 2Wire Broadband router does not > generate truely unique random session IDs for a logged-in > administrator user. > This allows attackers to brute-force guess a valid session ID to > compromise the administrator session. > For more information about this kind of weekness, > refer to CWE-330: Use of Insufficiently Random Values and CWE-331: > Insufficient Entropy. > > > 4. VERSIONS AFFECTED > > Tested against: > Model: 2700HGV-2 Gateway > Hardware Version: 2700-100657-005 > Software Version: 5.29.117.3 > > Other versions might be affected as well. > > > 5. PROOF-OF-CONCEPT/EXPLOIT > > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg > http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg > > > 6. IMPACT > > Attackers can compromise 2wire administrator session through automated > tools and modify any settings they want. > > > 7. SOLUTION > > There is no upgrade/patch currently available. 2wire support could not > estimate when the upgrade is available. > Also, 2wire users must be aware of other unfixed vulnerabilities > stated in references section. > > > 8. VENDOR > > 2Wire Inc > http://www.2wire.com > About 2Wire - http://www.2wire.com/index.php?p=486 > > > 9. CREDIT > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > Ethical Hacker Group, Myanmar. > > > 10. DISCLOSURE TIME-LINE > > 07-25-2010: vulnerability discovered > 07-29-2010: notified vendor > 08-02-2010: vendor responded/verified > 08-09-2010: vendor did not respond when fix/upgrade would be available > 08-09-2010: vulnerability disclosed > > > 11. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability > Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ > Related WebGoat Lesson: > http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ > http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html > http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800 > > > #yehg [08-09-2010] > > > --------------------------------- > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd Does this issue have CVE-identifier assigned? Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
