By combining a number of distinct vulnerabilities, attackers may take control of the web interface for popular cable modems in order to further compromise internal hosts over an external interface.
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem
The device is described by the vendor as a "fully integrated all-in-one home networking solution that combines the functionality of a DOCSIS/EuroDOCSIS 3.0 cable modem, four-port 10/100/1000 Ethernet switch with advanced firewall, and an 802.11n Wi-Fi access point [which is] cost-effective, efficient, and secure."
Firmware versions SBG6580Ð22.214.171.124-GAÐ06Ð077-NOSH, and SBG6580-126.96.36.199-GA-04-098-NOSH have been confirmed as vulnerable.
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary, external website to take control of the modem, even if the victim is not currently logged in. The attacker must successfully know, or guess, the victim's internal gateway IP address. This is usually a default value of 192.168.0.1.
It's important to stress that, taken separately, these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations.
CSRF Vulnerability (CVE-2015-0965)
Due to a lack of cross-site request forgery (CSRF) protections in the device's login form, a login action can be performed on behalf of the victim's browser by an arbitrary website, without the user's knowledge.
Backdoor Vulnerability (CVE-2015-0966)
Once in a position to log in to the administrative interface of a SURFboard device, authentication is made trivial due to the presence of a widely known, pre-installed backdoor account. The tested devices had a "technician" user with the password, "yZgO8Bvj." Other accounts may be present as installed by service providers and resellers.
XSS Vulnerability (CVE-2015-0964)
The script injection occurs in the Firewall Local Log section of the web interface. The following HTTP request will gain persistent XSS in the router interface, provided the victim is authenticated:
POST /goform/RgFirewallEL HTTP/1.1 Host: 192.168.0.1 Connection: keep-alive Content-Length: 128 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.1/RgFirewallEL.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 EmailAddress:<script>@a.com<script>alert(1)</script> SmtpServerName: SmtpUsername: SmtpPassword: LogAction:0
Impact of Successful Exploitation
A remote attacker can gain full control over a target's router via the web interface and UPnP. One exploit scenario is described below:
- Malicious code fingerprints the victim's router based on an image served by the web interface.
- Malicious code attempts to log in with guessed credentials (admin/motorola)
- Malicious code sends a CSRF request with embedded XSS payload
- Malicious code loads reflected page in an invisible iframe and renders injected XSS payload
- Malicious code can now modify router settings and configure the victim's network for further exfiltration and exploitation.
The Metasploit module, published in conjunction with this advisory, takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.
In addition, the Metasploit module automatically downloads a copy of of all registered DHCP clients, complete with their MAC addresses, IP addresses, and hostnames.
Recommended Fixes and Mitigations
The vendor may mitigate these issues with the following:
- Better sanitization of the EmailAddress input to /goform/RgFirewallEL.
- Normal CSRF token or HTTP Referer validation on all forms.
- Cease issuing reusable backdoor credentials.
Affected users can mitigate their exposure by only visiting Internet web sites from a device that is incapable of communicating with the web administration interface on vulnerable cable modems. While this capability does not appear to be present on SURFboard device, configuring a custom local firewall rule can prevent accidental (or malicious) connectivity, as would configuring an additional hardware firewall/gateway to limit communication from internal hosts to the vulnerable device.
These vulnerabilities were discovered by independent security researcher Joe Vennix.
- Sat Jan 03 2015: Initial discovery and PoC written and demonstrated.
- Fri Jan 23 2015: Security contacts at the vendor sought for reporting.
- Thu Feb 19 2015: Disclosed issues and PoC to CERT/CC.
- Fri Apr 03 2015: CVEs assigned by CERT/CC.
- Wed Apr 08 2015: Public Disclosure and Metasploit module published (PR #5105).
*Updated disclosure timeline to accurately reflect that CVEs were assigned in April, not February.