Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem.
The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of the kit.
This goes beyond the usual “ooh hax0rs can get my modem” FUD, because once exploited, an attacker could drop a user's computer into the DMZ, leaving the machine naked to the outside world.
As the Rapid7 post states: “these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations.”
The three vulnerabilities are:
- A cross-site request forgery tagged CVE-2015-0965 that lets an arbitrary site log in without the user's knowledge;
- At least one hard-coded backdoor, CVE-2015-0966, letting “technician” log in with the password yZgO8Bvj; and
The Rapid7 post, written by Tod Beardsley, offers a demo http request that will “gain persistent XSS in the router interface, provided the victim is authenticated”.
Exploitation only requires that “The attacker must successfully know, or guess, the victim's internal gateway IP address. This is usually a default value of 192.168.0.1.”
The post continues: “The Metasploit module, published in conjunction with this advisory, takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.
“In addition, the Metasploit module automatically downloads a copy of of all registered DHCP clients, complete with their MAC addresses, IP addresses, and hostnames.”
Rapid7 credits Joe Vennix for turning up the vulnerabilities..
Arris is the Motorola spin-off carrying the cable modem business. It recently won a lucrative deal in Australia to supply product for the HFC part of the network. ®