Security researchers at Lyrebirds
The problem is caused by a buffer overflow in a service that provides access to spectrum analyzer data, allowing operators to diagnose problems and take into account the level of interference in the cable connection. The service handles requests via jsonrpc and only accepts connections on the internal network. The exploitation of the vulnerability in the service turned out to be possible due to two factors - the service was not protected from the use of "
The βDNS rebindingβ technique allows, when a user opens a certain page in a browser, to establish a WebSocket connection with a network service on an internal network that is not accessible for direct access via the Internet. To bypass protections used in browsers from leaving the scope of the current domain (
After being able to send a request to the modem, an attacker can exploit a buffer overflow in the spectrum analyzer handler, which allows code to be executed as root at the firmware level. After that, the attacker gains full control over the device, allowing him to change any settings (for example, spoof DNS responses by redirecting DNS to his server), disable firmware updates, change firmware, redirect traffic, or break into network connections (MiTM).
The vulnerability is present in the generic Broadcom handler, which is used in the firmware of cable modems from various manufacturers. In the process of parsing incoming WebSocket requests in JSON format, due to improper data validation, the tail of the parameters specified in the request can be written to an area outside the allocated buffer and overwrite part of the stack, including the return address and saved register values.
The vulnerability is currently confirmed in the following devices that were available for study during the study:
- Sagemcom F@st 3890, 3686;
- NETGEAR CG3700EMR, C6250EMR, CM1000 ;
- Technicolor TC7230, TC4400;
- COMPAL 7284E, 7486E;
- Surfboard SB8200.
Source: opennet.ru