Skip to main content
Websec Logo
High October 12, 2009

2Wire Authentication Bypass and Unauthorized Password Reset

Some 2Wire devices are vulnerable to authentication bypass and remote password reset attacks that allow drive-by pharming.

CVSS Score

8.8 / 10.0

Severity

High

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Advisory

Application2Wire Gateway
ImpactAuthentication bypass and unauthorized password reset
Websec AdvisoryWS09-02
DisclosedAugust 4, 2009
VenueDEF CON 17

Description

There is an authentication bypass vulnerability in page=CD35_SETUP_01 that allows an attacker to set a new administrative password even when one is already configured, without knowing the existing password.

Additionally, submitting the same form with a password longer than 512 characters causes the password field to be wiped. The next time the router is accessed, the user is prompted to set a new password, granting the attacker an opportunity to take over the device on refresh.

Affected Products

  • 2Wire 2071 Gateway — firmware 5.29.51
  • 2Wire 1800HW — firmware 3.17.5
  • 2Wire 1701HG — firmware 3.7.1

Fixed In

Firmware 5.29.135.5 or later.

Disclosure Timeline

  • 2009-03-27 — 2Wire contacted, no satisfactory response.
  • 2009-07-11 — Complete technical details sent to 2Wire, no response.
  • 2009-07-17 — Advisory and video demos sent to 2Wire; ticket escalated, no further response.
  • 2009-08-02 — Publicly disclosed at DEF CON 17.

Exploit / Proof of Concept

Authentication Bypass. Request the setup page directly to set a new password, bypassing the existing credential check:

http://gateway.2wire.net/xslt?page=CD35_SETUP_01

Password Reset. Submit the same form with a password longer than 512 characters; the stored password is cleared on the next access:

http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=<513+chars>&password2=<513+chars>

Affected Products

2Wire 2071 Gateway

Affected Versions:
  • • 5.29.51
Fixed In:

5.29.135.5

2Wire 1800HW

Affected Versions:
  • • 3.17.5
Fixed In:

5.29.135.5

2Wire 1701HG

Affected Versions:
  • • 3.7.1
Fixed In:

5.29.135.5

Remediation

Upgrade the 2Wire gateway firmware to 5.29.135.5 or later. 2Wire devices are end-of-life; if an upgrade is unavailable, replace the device.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

Severity:
CVSS: 8.0
View advisory
View All Advisories