lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 3 Apr 2016 16:26:25 -0500
From: David Longenecker <david@...urityforrealpeople.com>
To: fulldisclosure@...lists.org
Subject: [FD] Unauthenticated CSRF reboot flaw in ARRIS (Motorola) SURFboard
	modems

ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems, with the
latest firmware deployed by Time Warner Cable, have a LAN-side web UI with
a fixed IP address, that does not require authentication, and a cross site
request forgery vulnerability through which it is possible to reboot the
modem with one click.

It is also possible to factory reset the modem with a simple
unauthenticated URL. This causes a longer outage while the modem
renegotiates with the ISP - which can in certain cases even require calling
the ISP to initiate the reactivation.

The vendor describes the SB6141 as the "#1 selling modem," with over 135
million units sold. However, MITRE informed me that this product line is
current not in scope for CVE assignment, so there is no CVE identifier for
these vulnerabilities.

The following proof of concept website includes the reboot command as the
src attribute to an img tag. As such, VISITING THIS POC LINK WILL REBOOT
THE LOCAL CABLE MODEM:

http://RebootMyModem.net

Caveats: this flaw affects the consumer-oriented, LAN-side administrative
interface, which only supplies diagnostic data and logs, along with reboot
and factory reset functions. This is NOT the ISP-oriented, WAN-side
interface. This has been demonstrated on a SURFboard 6141 modem running
SB_KOMODO-1.0.6.14-SCM01-NOSH, the current firmware deployed to Time Warner
Cable customers. Other models and other ISPs may or may not have the same
design flaw.

Details, screen shots of the UI as it is intended to be used, suggested
iptables rules to limit exposure, and a complete disclosure timeline are at
the following link (without exploitation):

http://www.securityforrealpeople.com/rebootmymodem


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ