SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   2Wire Gateway Vendors:   2Wire, Inc.
2Wire Gateway Can Be Crashed By Remote Users Via a Specially Crafted XLST Request
SecurityTracker Alert ID:  1023116
SecurityTracker URL:  http://securitytracker.com/id/1023116
CVE Reference:   CVE-2009-3962   (Links to External Site)
Updated:  Nov 19 2009
Original Entry Date:  Oct 30 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Version 5.29.52 and prior; Models 1700HG, 1701HG, 1800HW, 2071, 2700HG, 2701HG-T
Description:   A vulnerability was reported in 2Wire Gateway. A remote user can cause denial of service conditions.

A remote user can submit a specially crafted HTTP request to the remote management interface to cause the target device to reboot.

A demonstration exploit request is provided:

https://[target]:50001/xslt?page=%0d%0a

The vendor was notified on September 9, 2009.

hkm reported this vulnerability.

Impact:   A remote user can cause the target device to reboot.
Solution:   The vendor has reportedly issued a fix.
Vendor URL:  www.2wire.com/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  2wire Remote Denial of Service


           ========================================
               2WIRE REMOTE DENIAL OF SERVICE
         ========================================


Device:      2wire Gateway Router/Modem
Vulnerable Software:   =< 5.29.52
Vulnerable Models:   1700HG
         1701HG
         1800HW
         2071
         2700HG
         2701HG-T
Release Date:    2009-10-29
Last Update:    2009-09
Critical:    Moderately critical
Impact:    Denial of service
      Remote router reboot
Where:      From remote
      In the remote management interface
Solution Status:   Vendor issued firmware patches
         Providers are in charge of applying the patches
WebVuln Advisory:   1-003


  BACKGROUND
=======================

The remote management interface of some 2wire modems is enabled by
default.
This interface runs over SSL on port 50001 with an untrusted issuer
certificate.

++Español
Algunos módems 2wire tienen la interfaz remota habilitada por default.
La interfaz utiliza SSL con un certificado invalido en el puerto 50001.


   DESCRIPTION
=======================

Some 2wire modems are vulnerable to a remote denial of service attack.
By requesting a special url from the Remote Management interface, an
unathenticated
user can remotely reboot the complete device.

++
Algunos módems 2wire son vulnerables a un ataque de denegación de
servicio.
Un usuario no autenticado puede reiniciar el dispositivo enviando una
petición a
la interfaz de Administración remota.


  EXPLOIT / POC
=======================

 https://<remoteIP>:50001/xslt?page=%0d%0a


  WORKAROUND
=======================

Disable Remote Management in Firewall -> Advanced Settings.

++
Deshabilitar Administración remota en Cortafuegos -> Configuración
avanzada


   DISCLOSURE TIMELINE
=======================

2009/09/06 - Vulnerability discovered
2009/09/08 - Vendor contacted


                  =======================

                           h k m
                        hkm@hakim.ws
                    http://www.hakim.ws

                  http://www.webvuln.com/

                  =======================
Greets:
preth00nker, DromoroK, mr.ebola, Javier, d0ct0r_4rz0v1zp0, ch@vez, fito,
HL, Xianur0, Pr@fEs0r X, Daemon, us3r.


  REFERENCES
=======================

Preth00nker's exploit (LAN) - http://www.milw0rm.com/exploits/2246
2Wire Gateways CRLF DoS (from local network) -
http://secunia.com/advisories/21583
Hakim.Ws - http://www.hakim.ws
WebVuln - http://www.webvuln.com



2009-09 - WebVuln - http://www.webvuln.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC