========================================== 2Wire Broadband Router Session Hijacking Vulnerability ==========================================
The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session.
2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix.
The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy.
Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 18.104.22.168
Other versions might be affected as well.
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
Attackers can compromise 2wire administrator session through automated tools and modify any settings they want.
There is no upgrade/patch currently available. 2wire support could not estimate when the upgrade is available. Also, 2wire users must be aware of other unfixed vulnerabilities stated in references section.
2Wire Inc http://www.2wire.com About 2Wire - http://www.2wire.com/index.php?p=486
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
07-25-2010: vulnerability discovered 07-29-2010: notified vendor 08-02-2010: vendor responded/verified 08-09-2010: vendor did not respond when fix/upgrade would be available 08-09-2010: vulnerability disclosed
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ Related WebGoat Lesson: http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800