Type: Open port
Affects: Singtel's firmware on 2wire 5012NV-002
Version: (HW version: 2701-000808-004, SW version: 126.96.36.199)
(Unable to ascertain if other versions are affected as I do not have access to the firmware)
Ease of exploit: Low
Impact: Allows an attacker to gain access to the admin page of the router.
The affected routers expose the admin page on port 2046 of the WAN interface. Of all the routers I have seen, none have required any form of authentication. Targets can be found very quickly by scanning port 2046 of IP addresses which Singtel issues to its subscribers. A quick scan of 1275 addresses found approximately 10 hosts which were vulnerable. Compromising the router is as simple as pointing your browser to http://xxx.xxx.xxx.xxx:2046.
Potential exploits (in order of severity):
- Routing table poisoning - The attacker can add a static route to direct traffic from a certain subset of IP addresses to an address which he controls. Traffic can be sniffed or a man-in-the-middle attack can be executed, compromising the privacy of the victim.
- Rouge firmware upload - The attacker can upload a modified firmware with any type of exploit built-in for his use. e.g. a proxy server to redirect traffic. Note: There may be mechanisms in place to prevent it from occurring. e.g. firmware has to be signed by manufacturer's key. I have not tested it out.
- Denial-of-service - The attacker can change the wifi password thus locking out the victim's wireless devices. He could also repeatedly reboot the router.
- Setting admin password for web interface - May not work as password may be set only for web page exposed on port 80 of LAN interface. I have not come across any affected routers which have http basic auth enabled on port 2046 of WAN interface.
- Using a different router not affected by this vulnerability. However, this option may not be feasible for many subscribers as mio TV, an IPTV service offered by Singtel will not work on a different router without prior configuration.
This issue was brought to SingTel's attention on the 23 Oct 13. I received a call in Jan, informing me that investigations by the network team confirmed the existence of the vulnerability. A patch has since been released and rolled out to all affected subscribers.