2Wire Broadband Router Session Hijacking Vulnerability

2010-08-12T00:00:00
ID SECURITYVULNS:DOC:24481
Type securityvulns
Reporter Securityvulns
Modified 2010-08-12T00:00:00

Description

========================================== 2Wire Broadband Router Session Hijacking Vulnerability ==========================================

  1. OVERVIEW

The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session.

  1. PRODUCT DESCRIPTION

2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix.

  1. VULNERABILITY DESCRIPTION

The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy.

  1. VERSIONS AFFECTED

Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 5.29.117.3

Other versions might be affected as well.

  1. PROOF-OF-CONCEPT/EXPLOIT

http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg

  1. IMPACT

Attackers can compromise 2wire administrator session through automated tools and modify any settings they want.

  1. SOLUTION

There is no upgrade/patch currently available. 2wire support could not estimate when the upgrade is available. Also, 2wire users must be aware of other unfixed vulnerabilities stated in references section.

  1. VENDOR

2Wire Inc http://www.2wire.com About 2Wire - http://www.2wire.com/index.php?p=486

  1. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

07-25-2010: vulnerability discovered 07-29-2010: notified vendor 08-02-2010: vendor responded/verified 08-09-2010: vendor did not respond when fix/upgrade would be available 08-09-2010: vulnerability disclosed

  1. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ Related WebGoat Lesson: http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800

yehg [08-09-2010]