The 2Wire Broadband Router is vulnerable to Session Hijacking flaw which attackers can compromise the router administrator session.
2. PRODUCT DESCRIPTION
2Wire routers, product of 2Wire, are widely-used Broadband routers in SOHO environment.
They are distributed through most famous ISPs (see - http://2wire.com/?p=383) with ready-to-use pre-configured settings.
Their Wireless SSIDs are well-known as "2WIRE" prefix.
3. VULNERABILITY DESCRIPTION
The web-based management interface of 2Wire Broadband router does not generate truely unique random session IDs for a logged-in administrator user.
This allows attackers to brute-force guess a valid session ID to compromise the administrator session.
For more information about this kind of weekness,
refer to CWE-330: Use of Insufficiently Random Values and CWE-331: Insufficient Entropy.
4. VERSIONS AFFECTED
Model: 2700HGV-2 Gateway
Hardware Version: 2700-100657-005
Software Version: 22.214.171.124
Other versions might be affected as well.
Attackers can compromise 2wire administrator session through automated tools and modify any settings they want.
7. SOLUTION [from 2wire]
2wire has already investigated and provided a fix for this issue.
These fixes have been implemented in the 6.x series of software and are available to our partners.
Since 2wire does not provide software releases to end-users, it is up to the partner ISP to
adopt new versions and provide them to their customers.
About 2Wire - http://www.2wire.com/index.php?p=486
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
07-25-2010: vulnerability discovered
07-29-2010: notified vendor
08-02-2010: vendor responded/verified
08-09-2010: vendor did not respond when fix/upgrade would be available
08-09-2010: vulnerability disclosed
08-21-2010: vendor released fix
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
Related WebGoat Lesson: http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/