|
=========================================2Wire Broadband Router Session Hijacking Vulnerability ========================================= 1. OVERVIEW The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session. 2. PRODUCT DESCRIPTION 2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix. 3. VULNERABILITY DESCRIPTION The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy. 4. VERSIONS AFFECTED Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 5.29.117.3 Other versions might be affected as well. 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg 6. IMPACT Attackers can compromise 2wire administrator session through automated tools and modify any settings they want. 7. SOLUTION There is no upgrade/patch currently available. 2wire support could not estimate when the upgrade is available. Also, 2wire users must be aware of other unfixed vulnerabilities stated in references section. 8. VENDOR 2Wire Inc http://www.2wire.com About 2Wire - http://www.2wire.com/index.php?p=486 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 07-25-2010: vulnerability discovered 07-29-2010: notified vendor 08-02-2010: vendor responded/verified 08-09-2010: vendor did not respond when fix/upgrade would be available 08-09-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ Related WebGoat Lesson: http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800 #yehg [08-09-2010]