InfoSec: Protect your 2WIRE router from getting exploited

Disclaimer: none of the exploit information below has been discovered by me, I am not attempting to take the credit for it, I am merely summarizing the information to provide a background for the workaround solution that I describe in this article. All of the exploit, device model and provider information is readily available online on the sites listed in the Links section.

Which 2WIRE devices are affected?


Multiple vulnerabilities have been released in the wild that affect a wide range of 2WIRE routers, used by many ISPs, such as:

  • BT
  • AT&T
  • Telmex
  • Qwest
  • Sasktel
  • Telus
  • and many others.

All firmware versions have been reportedly affected, except 3.5.X.X and the 2WIRE models affected include, but are not limited to:

  • 1000SW
  • 1701
  • 1801
  • 2700
  • 2701
  • 3700
  • 3800

How does this affect you?

A potential attacker could perform a number of configuration changes on your 2WIRE router, just by posting a specifically crafted URL for you to open on a site such as Facebook or by including it in a 1x1 pixel image on any page or email. The following exploits have been tested for above models:

  • Set a custom administrator password on the router
  • Add names to the DNS list (doesn't work on 2700)
  • Disable Wireless Authentication
  • Set Dynamic DNS
  • Modify your password and password hint
Once again - no action will be required from you for the attacker to perform the above configuration changes, you will only need to open a page or email containing the malicious URI.

How does it work?

I will not re-post the exact links that I used to exploit the above vulnerabilities on my 2WIRE 2700, for obvious reasons. However - there are some generic examples available in the SecurityFocus records, links to which you can find in the Links section below.

Consider that the IP address given in the SecirutyFocus examples is the default gateway for the private subnet used by the router and the fact that 2WIRE gateway will always resolve the following names to that IP and you can easily see at least three attack vectors for this exploit:

  • gateway.2wire.net
  • home
Are there fixes available?Neither 2WIRE or any of the ISPs providing the routers to their customers have an update available that fixes this issue, however there are some workarounds that you can put in place that will render attacker's malicious URIs unusable.

The Workaround

Here is the fun part. First, we need to make sure that the default hostnames that the 2WIRE gateway automatically resolves to your private subnet default gateway are pointing somewhere else. This will make any malicious URIs using these hostnames harmless (they will simply timeout instead of doing you any harm).

To do that - open your hosts file in notepad (if you are using Windows, the hosts file is located under C:\WINDOWS\system32\drivers\etc; if you are using Linux - you probably know where your hosts file is). In the file you should see some comments on top with the bottom line being:

127.0.0.1 localhost

This is a default entry that points hostname "localhost" to the internal loopback address of your network card. Let's add two more lines under it, pointing the dastardly 2WIRE hostnames to this same loopback address (or you can use any other IP address other than your default gateway IP, I personally used Google's current IP):

127.0.0.1 gateway.2wire.net
127.0.0.1 home

Save and close the file and this part is done - now any attempt to trick you into opening your default gateway IP/management IP of your 2WIRE router will simply point your computer back onto itself (or whichever IP you entered above) and time out without doing it any harm.

Second, we need to get rid of that default IP range (and corresponding default gateway) that 2WIRE comes with. If you navigate to your 2WIRE management page (by default you could open them by browsing to the following URLs in your browser: http://gateway.2wire.net or http://home - but we have dealt with this in the first step, so lets use the IP address instead) - http://192.168.1.254 you should see Advanced Settings under Home Network part of the menu*.

Now I can only go by my 2700 seried device, so if your device is different - the location of this setting may be different, but basically you are looking for something that says "Private Network" and has IP ranges such as 192.168.1.0, 172.16.0.0 and 10.0.0.0 to chose from. These are the ones we don't want to use, since the attacker is most likely to try the default ones in the exploited URIs. Configure a custom one like 192.168.234.0 or 10.23.45.0:

Router Address: 10.23.45.254
Subnet mask: 255.255.255.0
Enable DHCP: Checked
First DHCP Address: 10.23.45.1
Last DHCP Address: 10.23.45.253

Note: submitting this will most likely disconnect you from internet and 2WIRE manegement interface since both your IP and the IP of the router will now be different. But, this is exactly what we wanted - now the attacker does not know what they are and will have hard time coming up with a URL that will exploit your router. In my case - I needed to turn the router off and on after changing the IP address, to apply the new network settings.

*If this default IP address doesn't open your 2WIRE management page, you may not need to do this step. However if you would still like to change your subnet range (Sasktel customers may have a different default subnet range that may become public and get exploited at a later date) - you can find out what your Default Gateway address is by launching Command Prompt and entering "ipconfig" command. Default Gateway is usually the management IP of your router.

Summary

Sorry for the lengthy article, I got a little carried away while trying to make sure that include as many details as possible to make the workaround accessible for everyone. If you have some additional information, such as configuration steps for routers other than the 2700 series - please post them in the comments I will make sure to add them to the article.

Links

http://www.securityfocus.com/bid/27246/exploit
http://www.securityfocus.com/bid/27516/exploit
http://www.dslreports.com/forum/r19987755-2Wire-Cross-Site-Request-Forgery-Vulnerability
http://tech.slashdot.org/article.pl?sid=08/04/08/1946214

Updates

April 9, 2008 - According to Slashdot AT&T spokesman Seth Bloom has announced that: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers." Number of AT&T customers on the site, even those that received their new 2WIREs in the last two weeks are reporting that exploits are still present on AT&T devices (comment).

May 5, 2009 - According to 2WIRE support, they have distributed updates to all ISP's to address the vulnerabilities last year, and while it appears that 27246 exploit may have indeed been eliminated, the 27516 still remains exploitable (I even tried it on my "patched" 2700 and was able to reset my password on the first try). Don't click the links your neighbors send you, unless you want to share your wireless with them!

June 24, 2009 - Tired of my complaints, my ISP has "upgraded" me to the "new" ADSL modem. I guess that "fixes" the problem for me, but be aware of the fact that 27516 still seems to be exploitable on at least some of the devices that ISP's claim have been patched. If you hear any updates on this issue - please post them in comments.

August 27, 2009 - Warning! Another vulnerability has just been discovered to be affecting all current version of 2WIRE routers, which allow the attacker to reset the administrative password on the system using nothing but the browser. Basically, if someone connects to your wireless - they can do anything they want to your network: http://www.securityfocus.com/bid/36075/info. Good time to phone up your ISP and demand a new router.

April 5, 2013 - A similar vulnerability is reported for Cisco Linksys EA2700 routers (I found the same numerical series to be rather ironic), upgrading to the latest firmware is highly advised.

7 comments:

Anonymous said...

Worked for my Telus 2WIRE 2700HG-E. Thanks!

Ribby said...

wow, I actually found some way to get access to my router interface lol.

this is an useful page. However, I don't get why I should do those unverified things or know how to....

Ribby said...

As for the localhost part, I found that I can gain access there, but the shortcut is quite glitchy. So I went ahead and made that loopback address.

As for IP addresses, how easily exploited from that method?

Oleksiy Gayda said...

If you use the default IP range on your home network then it's no different from the "localhost" exploit - bad guys can easily guess your gateway/router IP and tailor links to alter your settings. Luckily, as with any other device-specific exploits, the exposure seems to be very minimal so unless someone targets you personally, you should be OK.

Anonymous said...

I would like to thank you for covering the 'localhost' part. However, there are some issues I would like to resolve.

I have placed the line, "127.0.0.1 localhost", in the hosts file. That should prevent using the http://localhost/ or http://127.0.0.1/ .

However, I am still able to access http://gateway.2wire.net/ or http://home/ , even though I have placed the lines, "127.0.0.1 gateway.2wire.net" and "127.0.0.1 home" in the hosts file.

Any ideas to prevent using http://gateway.2wire.net/ and http://home/ or an certain internet-network or network-hosting computer?

Ribby said...

whoops, that Anonymous would be me.

Oleksiy Gayda said...

Ribby, it should work - are you sure that you have used a [tab] character, not a space between the IP address and the host name? It should be "127.0.0.1[tab]gateway.2wire.net".