in ,

Exploit that gives remote access affects ~ 200 million cable modems, Ars Technica

Exploit that gives remote access affects ~ 200 million cable modems, Ars Technica



Cable Haunt lets attackers take complete control when targets visit booby-trapped sites.




************************************** Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that’s surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report andaccompanying website. The JavaScript then opens awebsocket connectionto the vulnerable cable modem and exploits abuffer overflow vulnerabilityin the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.

Cable Haunt, as the researchers have named their proof-of-concept exploit, is known to work on various firmware versions of the following cable modems: (****************************************** (Sagemcom F @ st) ******************************************************

cross-origin resource sharingPrevents a Web application from one origin (such as from working on a different origin (such as 192.

. 1, the address used by most or all of the vulnerable modems).Websockets, however, are not protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, allowing allowing attackers to reach the endpoint and serve it code. While Cabe Haunt accesses modems through a browser, the attack can come from any place where running code can reach an IP on the local network.The attack does not work when vulnerable targets use Firefox, because the websocket used by that browser is not compatible with the websocket used by the spectrum analyzer. Attackers can still carry out their remote attack by using JavaScript that carries out what’s known as a

DNS rebinding attack

. To bypass thesame origin policy– a restriction that prevents code served from one domain from executing on a different domain — the rebinding attack manipulates DNS tables inside the local network. Because the attack site’s domain address is mapped to the IP of the vulnerable modem, the JavaScript will execute the attack code successfully.Besides the buffer overflow, the attack is possible because of known default credentials used to execute code on modems. These default credentials are simply added to the URL used by the attack code, e.g .: http: // username: [email protected]. Lyrebirds cofounder Kasper Tendrup told me he believes there are other methods for making the attack work remotely.The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt usesreturn oriented programmingto move between pre-existing pieces of code and then create a patchwork of existing code.Once attackers exploit the vulnerability, they send commands to the modem’s telnet server to install a reverse shell. From there, attackers can do all kinds of things, including, but not limited to, changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.million modemsThe Lyrebirds research suggests that Cable Haunt works against as many as 200 million modems in Europe alone. The attack may work against a larger number of modems deployed throughout the rest of the world. Determining if a modem not on the Lyrebirds list is vulnerable isn’t easy for average users because it requires them to run This PoC codeagainst the device. Detecting hacked modems is also tough since there are a variety of ways to mask the infection once attackers gain root access on a device.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Jared Leto is perfectly cast as a bloodthirsty antihero in Morbius trailer, Ars Technica

Jared Leto is perfectly cast as a bloodthirsty antihero in Morbius trailer, Ars Technica

[FREE]Create your resume for IT Jobs