lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 9 Aug 2010 21:23:21 +0300
From: Henri Salo <henri@...v.fi>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: 2Wire Broadband Router Session Hijacking
 Vulnerability

On Mon, 9 Aug 2010 23:12:29 +0800
YGN Ethical Hacker Group <lists@...g.net> wrote:

> ==============================================================================
> 2Wire Broadband Router Session Hijacking Vulnerability
> ==============================================================================
> 
> 
> 1. OVERVIEW
> 
> The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
> which attackers can compromise the router administrator session.
> 
> 
> 2. PRODUCT DESCRIPTION
> 
> 2Wire routers, product of 2Wire, are widely-used Broadband routers in
> SOHO environment.
> They are distributed through most famous ISPs (see -
> http://2wire.com/?p=383) with ready-to-use pre-configured settings.
> Their Wireless SSIDs are well-known as "2WIRE" prefix.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The web-based management interface of 2Wire Broadband router does not
> generate truely unique random session IDs for a logged-in
> administrator user.
> This allows attackers to brute-force guess a valid session ID to
> compromise the administrator session.
> For more information about this kind of weekness,
> refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
> Insufficient Entropy.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested against:
> Model: 2700HGV-2 Gateway
> Hardware Version: 2700-100657-005
> Software Version: 5.29.117.3
> 
> Other versions might be affected as well.
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
> 
> 
> 6. IMPACT
> 
> Attackers can compromise 2wire administrator session through automated
> tools and modify any settings they want.
> 
> 
> 7. SOLUTION
> 
> There is no upgrade/patch currently available. 2wire support could not
> estimate when the upgrade is available.
> Also, 2wire users must be aware of other unfixed vulnerabilities
> stated in references section.
> 
> 
> 8. VENDOR
> 
> 2Wire Inc
> http://www.2wire.com
> About 2Wire - http://www.2wire.com/index.php?p=486
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 07-25-2010: vulnerability discovered
> 07-29-2010: notified vendor
> 08-02-2010: vendor responded/verified
> 08-09-2010: vendor did not respond when fix/upgrade would be available
> 08-09-2010: vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
> Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
> Related WebGoat Lesson:
> http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
> http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html
> http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800
> 
> 
> #yehg [08-09-2010]
> 
> 
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd

Does this issue have CVE-identifier assigned?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ