2wire Remote Denial of Service

2009-11-18 / 2009-11-19
Credit: Pedro Joaquin
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-3962
CWE: CWE-20


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

======================================== 2WIRE REMOTE DENIAL OF SERVICE ======================================== Device: 2wire Gateway Router/Modem Vulnerable Software: =< 5.29.52 Vulnerable Models: 1700HG 1701HG 1800HW 2071 2700HG 2701HG-T Release Date: 2009-10-29 Last Update: 2009-09 Critical: Moderately critical Impact: Denial of service Remote router reboot Where: From remote In the remote management interface Solution Status: Vendor issued firmware patches Providers are in charge of applying the patches WebVuln Advisory: 1-003 BACKGROUND ======================= The remote management interface of some 2wire modems is enabled by default. This interface runs over SSL on port 50001 with an untrusted issuer certificate. ++Espa&#195;&#177;ol Algunos m&#195;&#179;dems 2wire tienen la interfaz remota habilitada por default. La interfaz utiliza SSL con un certificado invalido en el puerto 50001. DESCRIPTION ======================= Some 2wire modems are vulnerable to a remote denial of service attack. By requesting a special url from the Remote Management interface, an unathenticated user can remotely reboot the complete device. ++ Algunos m&#195;&#179;dems 2wire son vulnerables a un ataque de denegaci&#195;&#179;n de servicio. Un usuario no autenticado puede reiniciar el dispositivo enviando una petici&#195;&#179;n a la interfaz de Administraci&#195;&#179;n remota. EXPLOIT / POC ======================= https://<remoteIP>:50001/xslt?page=%0d%0a WORKAROUND ======================= Disable Remote Management in Firewall -> Advanced Settings. ++ Deshabilitar Administraci&#195;&#179;n remota en Cortafuegos -> Configuraci&#195;&#179;n avanzada DISCLOSURE TIMELINE ======================= 2009/09/06 - Vulnerability discovered 2009/09/08 - Vendor contacted ======================= h k m hkm (at) hakim (dot) ws [email concealed] http://www.hakim.ws http://www.webvuln.com/ ======================= Greets: preth00nker, DromoroK, mr.ebola, Javier, d0ct0r_4rz0v1zp0, ch@vez, fito, HL, Xianur0, Pr@fEs0r X, Daemon, us3r. REFERENCES ======================= Preth00nker's exploit (LAN) - http://www.milw0rm.com/exploits/2246 2Wire Gateways CRLF DoS (from local network) - http://secunia.com/advisories/21583 Hakim.Ws - http://www.hakim.ws WebVuln - http://www.webvuln.com 2009-09 - WebVuln - http://www.webvuln.com

References:

http://www.vupen.com/english/advisories/2009/3110
http://www.securitytracker.com/id?1023116
http://www.securityfocus.com/archive/1/archive/1/507587/100/0/threaded
http://webvuln.com/advisories/2wire.remote.denial.of.service.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top