Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

SOHOpeless router tosses your internet connection into the DMZ for max p0wn potential


Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem.

The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of the kit.

This goes beyond the usual “ooh hax0rs can get my modem” FUD, because once exploited, an attacker could drop a user's computer into the DMZ, leaving the machine naked to the outside world.

As the Rapid7 post states: “these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations.”

The three vulnerabilities are:

  • A cross-site request forgery tagged CVE-2015-0965 that lets an arbitrary site log in without the user's knowledge;
  • At least one hard-coded backdoor, CVE-2015-0966, letting “technician” log in with the password yZgO8Bvj; and
  • A cross-site scripting vulnerability in the firewall config page, CVE-2015-0964, letting attackers inject Javascript to do pretty much anything they want.

The Rapid7 post, written by Tod Beardsley, offers a demo http request that will “gain persistent XSS in the router interface, provided the victim is authenticated”.

Exploitation only requires that “The attacker must successfully know, or guess, the victim's internal gateway IP address. This is usually a default value of 192.168.0.1.”

The post continues: “The Metasploit module, published in conjunction with this advisory, takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.

“In addition, the Metasploit module automatically downloads a copy of of all registered DHCP clients, complete with their MAC addresses, IP addresses, and hostnames.”

Rapid7 credits Joe Vennix for turning up the vulnerabilities..

Arris is the Motorola spin-off carrying the cable modem business. It recently won a lucrative deal in Australia to supply product for the HFC part of the network. ®

Broader topics


Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022