lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 10 Aug 2010 10:49:36 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: Henri Salo <henri@...v.fi>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: 2Wire Broadband Router Session Hijacking
	Vulnerability

CVE ID hasn't been assigned yet.

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd



On Tue, Aug 10, 2010 at 2:23 AM, Henri Salo <henri@...v.fi> wrote:
> On Mon, 9 Aug 2010 23:12:29 +0800
> YGN Ethical Hacker Group <lists@...g.net> wrote:
>
>> ==============================================================================
>> 2Wire Broadband Router Session Hijacking Vulnerability
>> ==============================================================================
>>
>>
>> 1. OVERVIEW
>>
>> The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
>> which attackers can compromise the router administrator session.
>>
>>
>> 2. PRODUCT DESCRIPTION
>>
>> 2Wire routers, product of 2Wire, are widely-used Broadband routers in
>> SOHO environment.
>> They are distributed through most famous ISPs (see -
>> http://2wire.com/?p=383) with ready-to-use pre-configured settings.
>> Their Wireless SSIDs are well-known as "2WIRE" prefix.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> The web-based management interface of 2Wire Broadband router does not
>> generate truely unique random session IDs for a logged-in
>> administrator user.
>> This allows attackers to brute-force guess a valid session ID to
>> compromise the administrator session.
>> For more information about this kind of weekness,
>> refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
>> Insufficient Entropy.
>>
>>
>> 4. VERSIONS AFFECTED
>>
>> Tested against:
>> Model: 2700HGV-2 Gateway
>> Hardware Version: 2700-100657-005
>> Software Version: 5.29.117.3
>>
>> Other versions might be affected as well.
>>
>>
>> 5. PROOF-OF-CONCEPT/EXPLOIT
>>
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg
>> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
>>
>>
>> 6. IMPACT
>>
>> Attackers can compromise 2wire administrator session through automated
>> tools and modify any settings they want.
>>
>>
>> 7. SOLUTION
>>
>> There is no upgrade/patch currently available. 2wire support could not
>> estimate when the upgrade is available.
>> Also, 2wire users must be aware of other unfixed vulnerabilities
>> stated in references section.
>>
>>
>> 8. VENDOR
>>
>> 2Wire Inc
>> http://www.2wire.com
>> About 2Wire - http://www.2wire.com/index.php?p=486
>>
>>
>> 9. CREDIT
>>
>> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
>> Ethical Hacker Group, Myanmar.
>>
>>
>> 10. DISCLOSURE TIME-LINE
>>
>> 07-25-2010: vulnerability discovered
>> 07-29-2010: notified vendor
>> 08-02-2010: vendor responded/verified
>> 08-09-2010: vendor did not respond when fix/upgrade would be available
>> 08-09-2010: vulnerability disclosed
>>
>>
>> 11. REFERENCES
>>
>> Original Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
>> Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
>> Related WebGoat Lesson:
>> http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
>> http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html
>> http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800
>>
>>
>> #yehg [08-09-2010]
>>
>>
>> ---------------------------------
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>
> Does this issue have CVE-identifier assigned?
>
> Best regards,
> Henri Salo
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists