Attack exploits backdoor support account, CSRF and XSS flaws

Apr 9, 2015 14:15 GMT  ·  By

Vulnerabilities have been found in Surfboard SBG6580 series cable modem manufactured by Motorola Home (now owned by ARRIS), which allow an attacker to take complete control of the device; one of the flaws is a backdoor account with hard-coded credentials designed for technician support.

The modem has a four-port 10/100/1000 Ethernet switch and integrates an advanced firewall. It is intended as a complete solution for home users’ networking needs.

Internal IP address needed to carry out the attack

Researchers at Rapid7 have tested the device and discovered that its security can be bypassed by exploiting a set of three vulnerabilities. Apart from the backdoor account, the list also includes persistent cross-site scripting (XSS) and CSRF (cross-site request forgery) flaws.

Taking advantage of the glitches permits the threat actor to gain access to the device remotely, even if the victim is not authenticated in the web-based administrative interface.

All the attacker needs to know is the internal gateway IP address, whose default value (192.168.0.1) often remains unchanged.

“It's important to stress that, taken separately, these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations,” Rapid7’s Tod Beardsley wrote on Wednesday.

PoC created, module for Metasploit added

Since there is no CSRF protection (CVE-2015-0965) present for the device’s log-in page, an arbitrary website can initiate the authentication action on behalf of the user.

The presence of pre-installed accounts (CVE-2015-0966) with preset passwords is widely known in the case of these routers. The products tested by the researchers came with “technician” as the username and employed “yZgO8Bvj” as the password.

After logging in, the attacker can exploit the persistent XSS flaw in the configuration page for the firewall to inject malicious JavaScript code, which would permit running any supported commands.

A proof-of-concept (PoC) code has been written by the researchers to demonstrated the validity of an attack exploiting the three weaknesses, and a module for the Metasploit penetration testing software has already been published, so the procedure can be run automatically.

Rapid7 discovered the problems on January 3, 2015, and tried to contact the manufacturer 20 days later. In February, the security experts presented their findings to CERT/CC, which also assigned identification numbers to the vulnerabilities.