The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
which attackers can compromise the router administrator session.
2Wire routers, product of 2Wire, are widely-used Broadband routers in
SOHO environment.
They are distributed through most famous ISPs (see -
http://2wire.com/?p=383) with ready-to-use pre-configured settings.
Their Wireless SSIDs are well-known as "2WIRE" prefix.
The web-based management interface of 2Wire Broadband router does not
generate truely unique random session IDs for a logged-in
administrator user.
This allows attackers to brute-force guess a valid session ID to
compromise the administrator session.
For more information about this kind of weekness,
refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
Insufficient Entropy.
Tested against:
Model: 2700HGV-2 Gateway
Hardware Version: 2700-100657-005
Software Version: 5.29.117.3
Other versions might be affected as well.
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg
http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
Attackers can compromise 2wire administrator session through automated
tools and modify any settings they want.
There is no upgrade/patch currently available. 2wire support could not
estimate when the upgrade is available.
Also, 2wire users must be aware of other unfixed vulnerabilities
stated in references section.
2Wire Inc
http://www.2wire.com
About 2Wire - http://www.2wire.com/index.php?p=486
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
07-25-2010: vulnerability discovered
07-29-2010: notified vendor
08-02-2010: vendor responded/verified
08-09-2010: vendor did not respond when fix/upgrade would be available
08-09-2010: vulnerability disclosed
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
Related WebGoat Lesson:
http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html
http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800
#yehg [08-09-2010]