CVE ID hasn't been assigned yet. --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd
On Tue, Aug 10, 2010 at 2:23 AM, Henri Salo <he...@nerv.fi> wrote: > On Mon, 9 Aug 2010 23:12:29 +0800 > YGN Ethical Hacker Group <li...@yehg.net> wrote: > >> ============================================================================== >> 2Wire Broadband Router Session Hijacking Vulnerability >> ============================================================================== >> >> >> 1. OVERVIEW >> >> The 2Wire Broadband Router is vulnerable to Session Hijacking flaw >> which attackers can compromise the router administrator session. >> >> >> 2. PRODUCT DESCRIPTION >> >> 2Wire routers, product of 2Wire, are widely-used Broadband routers in >> SOHO environment. >> They are distributed through most famous ISPs (see - >> http://2wire.com/?p=383) with ready-to-use pre-configured settings. >> Their Wireless SSIDs are well-known as "2WIRE" prefix. >> >> >> 3. VULNERABILITY DESCRIPTION >> >> The web-based management interface of 2Wire Broadband router does not >> generate truely unique random session IDs for a logged-in >> administrator user. >> This allows attackers to brute-force guess a valid session ID to >> compromise the administrator session. >> For more information about this kind of weekness, >> refer to CWE-330: Use of Insufficiently Random Values and CWE-331: >> Insufficient Entropy. >> >> >> 4. VERSIONS AFFECTED >> >> Tested against: >> Model: 2700HGV-2 Gateway >> Hardware Version: 2700-100657-005 >> Software Version: 5.29.117.3 >> >> Other versions might be affected as well. >> >> >> 5. PROOF-OF-CONCEPT/EXPLOIT >> >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg >> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg >> >> >> 6. IMPACT >> >> Attackers can compromise 2wire administrator session through automated >> tools and modify any settings they want. >> >> >> 7. SOLUTION >> >> There is no upgrade/patch currently available. 2wire support could not >> estimate when the upgrade is available. >> Also, 2wire users must be aware of other unfixed vulnerabilities >> stated in references section. >> >> >> 8. VENDOR >> >> 2Wire Inc >> http://www.2wire.com >> About 2Wire - http://www.2wire.com/index.php?p=486 >> >> >> 9. CREDIT >> >> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN >> Ethical Hacker Group, Myanmar. >> >> >> 10. DISCLOSURE TIME-LINE >> >> 07-25-2010: vulnerability discovered >> 07-29-2010: notified vendor >> 08-02-2010: vendor responded/verified >> 08-09-2010: vendor did not respond when fix/upgrade would be available >> 08-09-2010: vulnerability disclosed >> >> >> 11. REFERENCES >> >> Original Advisory URL: >> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability >> Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ >> Related WebGoat Lesson: >> http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ >> http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html >> http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800 >> >> >> #yehg [08-09-2010] >> >> >> --------------------------------- >> Best regards, >> YGN Ethical Hacker Group >> Yangon, Myanmar >> http://yehg.net >> Our Lab | http://yehg.net/lab >> Our Directory | http://yehg.net/hwd > > Does this issue have CVE-identifier assigned? > > Best regards, > Henri Salo > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/