[TriLUG] open ports on Uverse 2wire gateway -- revisited

Igor Partola igor at igorpartola.com
Tue Feb 4 11:47:12 EST 2014


James,

I am inclined to be paranoid about this type of thing not even because of
the cited vulnerability (which in this case as I understand it, would
actually be an attack on AT&T and not you), but because of the possibility
that someone other than AT&T might be able to "upgrade" your router
remotely. Here is a way I might attack your this system:

I would try to patch/upgrade the modem/router to gain control of it and get
access to your LAN. While the WinXP box is running a firewall, I would
still try to port scan that to see if I can root it directly. If not, I
would try to see if I can persuade it to talk to different servers by
either updating the DNS servers sent to it via DHCP or doing ARP poisoning
or simply having the router route traffic to my own IP's. Now, if we assume
that your WinXP box only communicates with the outside world via a
TLS-protected protocol (HTTPS, FTPS, etc.) then I might not be able to
man-in-the-middle attack it (this by the way is a big assumption). However,
from what I understand WinXP doesn't exactly have the best crypto support
and it's possible there are vulnerabilities there. In addition, I might try
to man-in-the-middle a plain HTTP (vs HTTPS) site that is frequently
visited from this box and see if I can use a browser exploit to root the
box. Note that I am not in any capacity a professional or even amateur pen.
tester so the above is likely a very naive way of doing things and someone
far more clever than I would probably figure out a much better way to
exploit a router they can run arbitrary code on.

I will repeat my earlier recommendation: buy a $100 modem + a $50 router.
The modem you buy will likely not be running firmware that AT&T can patch
remotely, and thus none of this will be a problem for you.

Igor


More information about the TriLUG mailing list