Security researchers at Lyrebirds information about () in cable modems based on Broadcom chips, which allows you to get full control over the device. According to the researchers, about 200 million devices in Europe, used by various cable operators, are affected by the problem. Prepared to test your modem , which evaluates the activity of the problematic service, as well as the working to carry out an attack when a specially designed page is opened in the user's browser.
The problem is caused by a buffer overflow in a service that provides access to spectrum analyzer data, allowing operators to diagnose problems and take into account the level of interference in the cable connection. The service handles requests via jsonrpc and only accepts connections on the internal network. The exploitation of the vulnerability in the service turned out to be possible due to two factors - the service was not protected from the use of "Β» due to incorrect use of WebSocket and in most cases provided access based on a predefined engineering password common to all devices of the model range (the spectrum analyzer is a separate service on its network port (usually 8080 or 6080) with its own engineering access password that does not intersect with a password from the web-interface of the administrator).
The βDNS rebindingβ technique allows, when a user opens a certain page in a browser, to establish a WebSocket connection with a network service on an internal network that is not accessible for direct access via the Internet. To bypass protections used in browsers from leaving the scope of the current domain () a DNS hostname change is applied - on the DNS server of the attackers, two IP addresses are returned alternately: the real IP of the server with the page is returned to the first request, and then the internal address of the device is returned (for example, 192.168.10.1). The time to live (TTL) for the first response is set to the minimum value, so when the page is opened, the browser determines the real IP of the attacking server and loads the page content. The page runs JavaScript code that waits for the TTL to expire and sends a second request, which now specifies the host as 192.168.10.1, which allows JavaScript to access the service inside the local network, bypassing the cross-origin restriction.
After being able to send a request to the modem, an attacker can exploit a buffer overflow in the spectrum analyzer handler, which allows code to be executed as root at the firmware level. After that, the attacker gains full control over the device, allowing him to change any settings (for example, spoof DNS responses by redirecting DNS to his server), disable firmware updates, change firmware, redirect traffic, or break into network connections (MiTM).
The vulnerability is present in the generic Broadcom handler, which is used in the firmware of cable modems from various manufacturers. In the process of parsing incoming WebSocket requests in JSON format, due to improper data validation, the tail of the parameters specified in the request can be written to an area outside the allocated buffer and overwrite part of the stack, including the return address and saved register values.
The vulnerability is currently confirmed in the following devices that were available for study during the study:
- Sagemcom F@st 3890, 3686;
- NETGEAR CG3700EMR, C6250EMR, CM1000 ;
- Technicolor TC7230, TC4400;
- COMPAL 7284E, 7486E;
- Surfboard SB8200.
Source: opennet.ru