AT&T, 2Wire Ignoring Active Security Exploit [Updated] 134
An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."
Re:Sasktel customers (Score:5, Informative)
Re:Funny Post (Score:5, Informative)
Re:Sasktel customers (Score:5, Informative)
Exploit doesn't seem to work on my 2700HG-B (Score:5, Informative)
Re:Exploit doesn't seem to work on my 2700HG-B (Score:1, Informative)
Perhaps the hacker could change the password, then follow it up with a DNS entry.
from the DSL reports forums (Score:5, Informative)
Here is a short summary:
First, change the IP scheme that the 2wire is using for your home network. Specifically, change the IP address of the 2wire router itself. This will prevent attacks against 192.168.1.254.
Next you have to prevent attacks against the domains "home" and "gateway.2wire.net". You can do this a couple of ways. You can modify your hosts file and point those domains to 127.0.0.1... or you can hardcode the dns settings into your computer so that your computer is not using the 2wire to resolve domain names.
Of course the bottom line is 2wire needs to plug this hole. When will that happen? Who knows.
Re:Exploit doesn't seem to work on my 2700HG-B (Score:5, Informative)
Try logging in to your router, open a new tab, and click on that link again and see if it works.
Re:2Wire routers also very weak on WEP (Score:3, Informative)
Re:Exploit doesn't seem to work on my 2700HG-B (Score:3, Informative)
(replying to myself...)
Ok, I see the problem now: although just about every setup page imaginable on the router uses a session cookie to make sure you have logged in, the "set initial router password" page does not, and does not care if an initial password has already been set (stupid!).
So the 'sploit is to first invoke the "set initial router password" page. It doesn't matter what it sets it to, because completing that page logs you in, and so your browser gets the session cookie and now all the other pages work. Such as the one that adds www.example.com to DNS.
Nice. Fortunately my home system doesn't use the 2wire DNS at all.
Re:Large install base (Score:5, Informative)
You're closer to the truth than you know. They use 64 bit (i.e. 8 byte) WEP by default, which is really 40 bit (i.e. 5 byte) WEP since three of those bytes are the IV and broadcast in the clear. However, 2WIRE has an awful policy of printing the WEP key on the side of the modem in hex format and not using the digits A through F.
So the default key, written in hex, is a "decimal" number somewhere between 0,000,000,000 and 9,999,999,999. That's only 10 billion possibilities, or about 33.2 bits of entropy. Your computer can crack through that in a day or two with only three or four captured packets.
When I discovered this (and, of course, got stonewalled by 2WIRE), I wrote a patch for aircrack (now aircrack-ng) that programs it to search only the binary coded decimal keyspace. I named this option -t in honor of "Two Wire" for their terrible security.