Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22319
HistoryAug 12, 2009 - 12:00 a.m.

2WIRE Gateway Authentication Bypass & Password Reset

2009-08-1200:00:00
vulners.com
43
JSON

2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET

DESCRIPTION

There is an authentication bypass vulnerability in page=CD35_SETUP_01
that allows you to set a new password even if the password was
previously set.

By setting a new password with more than 512 characters the password
gets reset and next time you access the router you will be prompted for
a new password.

VULNERABLE

2Wire 2071 Gateway
2Wire 1800HW
2Wire 1701HG

Firmware
5.29.51
3.17.5
3.7.1

NOT VULNERABLE

Firmware
5.29.135.5 or later

DISCLOSURE TIMELINE

03/27/2009 - 2wire Contacted
no satisfactory response
07/11/2009 - Sent complete details to 2wire
no response
07/17/2009 - Sent advisory with video demo to 2wire
ticket status escalated, but no response
08/02/2009 - Made public @ Defcon 17

EXPLOIT/POC

Authentication Bypass - just use this page to set a new password

 http://gateway.2wire.net?xslt?page=CD35_SETUP_01

Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv

Password Reset - using the same form but sending a password > 512
characters

http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=*Ax512*&password2=*Ax512*

Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv

GREETS

sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf
h4ckult1m4t3 hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam
raza-mexicana roa Setting sla.ckers thornmaker tr3w vandida vi0let
xianur0 Yield

Comunidad Underground de Mexico : https://www.underground.org.mx

         h k m
  http://www.hakim.ws
JSON