Home page logo
/

bugtraq logo Bugtraq mailing list archives

CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY
From: tan () szechuen com
Date: Mon, 31 Oct 2011 16:15:46 GMT

CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY 


1.      BACKGROUND AND AFFECTED MODELS/FIRMWARE 

SingTel provides customized versions of 2Wire gateway routers to its Internet service subscribers for the purpose of 
accessing the web. 

Customized firmware at major version 5 (or below) contains a Management and Diagnostic Console (MDC) at 
http://192.168.1.254/mdc (when accessing from a device connected to the router) for SingTel engineers to perform setup 
and debugging procedures. 

While the vulnerability is known to be patched in major version 6 (and above) of the firmware, it is likely that a high 
number of SingTel Internet service customers are still on the outdated firmware as there is no firmware upgrade 
procedure available to these subscribers. 

2.      VULNERABILITY

The MDC has its default password set as “2wire”. As opposed to the user panel at http://192.168.1.254, this password 
cannot be changed. 

Although the site is only accessible through devices on the local subnet of the router, when combined with the lack of 
Cross-Site Request Forgery (CSRF) protection, the vulnerability allows attackers to alter the router’s settings for 
malicious purposes. 

3.      EXPLOIT

The exploit can be delivered through a HTML page served to the victim. Then, the maliciously crafted page can instruct 
the victim’s browser to send a POST request, meant to execute changes in the MDC, via XMLHttpRequest or a populated and 
automatically submitted form in JavaScript. 

For instance, in the proof-of-concept, which reboots the router when served to a client connected to a vulnerable 
router, a form is POST to http://192.168.1.254/xslt with the following parameters: 

PAGE = S01_POST, 
view = XML, 
THISPAGE = J21, 
NEXTPAGE = J21_REBOOT, 
PASSWORD = 2wire 

4.      IMPACTS AND ADVISORY

A successful attack is unlikely to be noticed by the end-user with the lack of warning that comes with a CSRF attack, 
especially when performed through XMLHttpRequest. A likely exploitation would involve the alteration of the victim 
router’s Domain Name System (DNS) records, enabling a Man-in-the-Middle (MITM) attack vector. This allows for severe 
Advanced Persistent Threats (APT) to the victim. 

Hence, it is advised for SingTel and 2Wire to push the updated firmware to its subscribers as soon as possible. 

While the issue is pending resolution, SingTel Internet service customers with firmware major version 5 (and below) are 
advised to: 

-       Avoid visiting any website that is not previously trusted, especially web search results and links on social 
networking sites 
-       Pay increased attention to any anomalies in Internet service, such as substantial increase in page-load 
durations 

5.      DISCLOSURE AND NOTES 

Attempt has been made to contact SingTel about the vulnerability through SingCERT on 14 September 2011. While 
confirmation of vulnerability has been received, no plan to fix the vulnerability has been made known before the 31 
October 2011 deadline specified. 


TAN SZE CHUEN 
Security Researcher 
tan () szechuen com (PGP key available) 


Updates and Proof-of-Concept at http://blog.szechuen.com/cve-2011-3682 


  By Date           By Thread  

Current thread:
  • CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY tan (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]