AT&T, 2Wire Ignoring Active Security Exploit [Updated]

An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."

Re:Sasktel customers

[bcat24]

From TFA:

Vulnerable:
2Wire 2071 Gateway 5.29.51
2Wire 2071 Gateway 3.17.5
2Wire 2071 Gateway 3.7.1
2Wire 1800HW 5.29.51
2Wire 1800HW 3.17.5
2Wire 1800HW 3.7.1
2Wire 1701HG 5.29.51
2Wire 1701HG 3.17.5
2Wire 1701HG 3.7.1

Re:Funny Post

[bcat24]

That would be slightly funnier if the exploit actually involved SOCKS. In reality, it looks like a simple CSRF attack. (Is it just me, or are we seeing a lot more of those lately?)

Exploit doesn't seem to work on my 2700HG-B

I tried their example for adding example.com to DNS (here as not a live link; copy it paste it yourself at your own risk):

http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1

and all it did was leave me at the "enter system password" page. Yes, my router has a non-default system password. The system software release is 4.25.19.

Re:Exploit doesn't seem to work on my 2700HG-B

[skis]

This exploit is CSRF (Cross-site request forgery). This means that you have to have an active authenticated session to your router in your browser. When you click the link and your browser is already authenticated, it will send your session cookie along with the HTTP request, and the web server in your router will know you are already authenticated, and execute the command you gave it.

Try logging in to your router, open a new tab, and click on that link again and see if it works.

Re:Anybody have any ideas...

[trongey]

...how to walk my mom through changing her IP scheme and modify the hosts file? Do I have to go over there? Oh, come on. Don't be so lazy. It won't kill you to walk up the stairs and across the living room.

from the DSL reports forums

[Some_Llama]

You can implement a temporary fix yourself. The first post in the following thread describes how to protect yourself until 2wire fixes the issue 2Wire Cross Site Request Forgery Vulnerability .

Here is a short summary:

First, change the IP scheme that the 2wire is using for your home network. Specifically, change the IP address of the 2wire router itself. This will prevent attacks against 192.168.1.254.

Next you have to prevent attacks against the domains "home" and "gateway.2wire.net". You can do this a couple of ways. You can modify your hosts file and point those domains to 127.0.0.1... or you can hardcode the dns settings into your computer so that your computer is not using the 2wire to resolve domain names.

Of course the bottom line is 2wire needs to plug this hole. When will that happen? Who knows.