Last updated at Mon, 21 Aug 2017 15:45:43 GMT

By combining a number of distinct vulnerabilities, attackers may take control of the web interface for popular cable modems in order to further compromise internal hosts over an external interface.

Affected Product

ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem

The device is described by the vendor as a "fully integrated all-in-one home networking solution that combines the functionality of a DOCSIS/EuroDOCSIS 3.0 cable modem, four-port 10/100/1000 Ethernet switch with advanced firewall, and an 802.11n Wi-Fi access point [which is] cost-effective, efficient, and secure."

Firmware versions SBG6580Ð6.5.2.0-GAÐ06Ð077-NOSH, and SBG6580-8.6.1.0-GA-04-098-NOSH have been confirmed as vulnerable.

Vulnerability Overview

The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary, external website to take control of the modem, even if the victim is not currently logged in. The attacker must successfully know, or guess, the victim's internal gateway IP address.  This is usually a default value of 192.168.0.1.

It's important to stress that, taken separately, these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations.

CSRF Vulnerability (CVE-2015-0965)

Due to a lack of cross-site request forgery (CSRF) protections in the device's login form, a login action can be performed on behalf of the victim's browser by an arbitrary website, without the user's knowledge.

Backdoor Vulnerability (CVE-2015-0966)

Once in a position to log in to the administrative interface of a SURFboard device, authentication is made trivial due to the presence of a widely known, pre-installed backdoor account. The tested devices had a "technician" user with the password, "yZgO8Bvj." Other accounts may be present as installed by service providers and resellers.

XSS Vulnerability (CVE-2015-0964)

Once successfully logged in, a persistent XSS vulnerability in the firewall configuration page can allow authenticated attackers to inject Javascript capable of performing any action available in the router interface.

Vulnerability Details

The script injection occurs in the Firewall Local Log section of the web interface. The following HTTP request will gain persistent XSS in the router interface, provided the victim is authenticated:

   POST /goform/RgFirewallEL HTTP/1.1     Host: 192.168.0.1     Connection: keep-alive     Content-Length: 128     Cache-Control: max-age=0     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8     Origin: http://192.168.0.1     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36     Content-Type: application/x-www-form-urlencoded     Referer: http://192.168.0.1/RgFirewallEL.asp     Accept-Encoding: gzip, deflate     Accept-Language: en-US,en;q=0.8

    EmailAddress:<script>@a.com<script>alert(1)</script>     SmtpServerName:     SmtpUsername:     SmtpPassword:     LogAction:0

Impact of Successful Exploitation

A remote attacker can gain full control over a target's router via the web interface and UPnP. One exploit scenario is described below:

  1. The victim clicks a link that leads to a page controlled by the attack, with Javascript enabled on the victim's browser.
  2. Malicious code fingerprints the victim's router based on an image served by the web interface.
  3. Malicious code attempts to log in with guessed credentials (admin/motorola)
  4. Malicious code sends a CSRF request with embedded XSS payload
  5. Malicious code loads reflected page in an invisible iframe and renders injected XSS payload
  6. Malicious code can now modify router settings and configure the victim's network for further exfiltration and exploitation.

The Metasploit module, published in conjunction with this advisory, takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.

In addition, the Metasploit module automatically downloads a copy of of all registered DHCP clients, complete with their MAC addresses, IP addresses, and hostnames.

Recommended Fixes and Mitigations

The vendor may mitigate these issues with the following:

  1. Better sanitization of the EmailAddress input to /goform/RgFirewallEL.
  2. Normal CSRF token or HTTP Referer validation on all forms.
  3. Add an X-Frame-Options header to restrict Javascript injection.
  4. Cease issuing reusable backdoor credentials.

Affected users can mitigate their exposure by only visiting Internet web sites from a device that is incapable of communicating with the web administration interface on vulnerable cable modems. While this capability does not appear to be present on SURFboard device, configuring a custom local firewall rule can prevent accidental (or malicious) connectivity, as would configuring an additional hardware firewall/gateway to limit communication from internal hosts to the vulnerable device.

Credit

These vulnerabilities were discovered by independent security researcher Joe Vennix.

Disclosure Timeline

  • Sat Jan 03 2015: Initial discovery and PoC written and demonstrated.
  • Fri Jan 23 2015: Security contacts at the vendor sought for reporting.
  • Thu Feb 19 2015: Disclosed issues and PoC to CERT/CC.
  • Fri Apr 03 2015: CVEs assigned by CERT/CC.
  • Wed Apr 08 2015: Public Disclosure and Metasploit module published (PR #5105).

*Updated disclosure timeline to accurately reflect that CVEs were assigned in April, not February.