============================================================================== 2Wire Broadband Router Session Hijacking Vulnerability ============================================================================== 1. OVERVIEW The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session. 2. PRODUCT DESCRIPTION 2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment. They are distributed through most famous ISPs (see - http://2wire.com/?p=383) with ready-to-use pre-configured settings. Their Wireless SSIDs are well-known as "2WIRE" prefix. 3. VULNERABILITY DESCRIPTION The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user. This allows attackers to brute-force guess a valid session ID to compromise the administrator session. For more information about this kind of weekness, refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy. 4. VERSIONS AFFECTED Tested against: Model: 2700HGV-2 Gateway Hardware Version: 2700-100657-005 Software Version: 5.29.117.3 Other versions might be affected as well. 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg 6. IMPACT Attackers can compromise 2wire administrator session through automated tools and modify any settings they want. 7. SOLUTION [from 2wire] 2wire has already investigated and provided a fix for this issue. These fixes have been implemented in the 6.x series of software and are available to our partners. Since 2wire does not provide software releases to end-users, it is up to the partner ISP to adopt new versions and provide them to their customers. 8. VENDOR 2Wire Inc http://www.2wire.com About 2Wire - http://www.2wire.com/index.php?p=486 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 07-25-2010: vulnerability discovered 07-29-2010: notified vendor 08-02-2010: vendor responded/verified 08-09-2010: vendor did not respond when fix/upgrade would be available 08-09-2010: vulnerability disclosed 08-21-2010: vendor released fix 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/ 2Wire Routers WorldWide: http://www.shodanhq.com/?q=2Wire Related WebGoat Lesson: http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/ Related: http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html Related: http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800 #yehg [08-09-2010] updated: 2010-10-24