CABLE HAUNT –
Cable Haunt lets attackers take complete control when targets visit booby-trapped sites.
**************************
Cable Haunt, as the researchers have named their proof-of-concept exploit, is known to work on various firmware versions of the following cable modems: (****************************************** (Sagemcom F @ st) ******************************************************
- Sagemcom F @ st (**********************************Technicolor TC
- Netgear C EMRNetgear CG EMR *******************************
- ******************** (The exploit may also work against the Compal) ********************************************** (E and Compal) ************************************************ Because the spectrum analyzer server is present in other cable modems, the exploit is likely to work on other models as well. Lyrebirds’ proof-of-concept attack works reliably against the Technicolor TC and the Sagemcom F @ st 27294846. With tweaks, the attack code will work on other models listed as vulnerable. Complete control“The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem,” Lyrebirds researchers wrote. “Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat [e] in botnets.”There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called
cross-origin resource sharingPrevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.
DNS rebinding attack
. To bypass thesame origin policy– a restriction that prevents code served from one domain from executing on a different domain — the rebinding attack manipulates DNS tables inside the local network. Because the attack site’s domain address is mapped to the IP of the vulnerable modem, the JavaScript will execute the attack code successfully.Besides the buffer overflow, the attack is possible because of known default credentials used to execute code on modems. These default credentials are simply added to the URL used by the attack code, e.g .: http: // username: [email protected] Lyrebirds cofounder Kasper Tendrup told me he believes there are other methods for making the attack work remotely.The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt usesreturn oriented programmingto move between pre-existing pieces of code and then create a patchwork of existing code.Once attackers exploit the vulnerability, they send commands to the modem’s telnet server to install a reverse shell. From there, attackers can do all kinds of things, including, but not limited to, changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.million modemsThe Lyrebirds research suggests that Cable Haunt works against as many as 200 million modems in Europe alone. The attack may work against a larger number of modems deployed throughout the rest of the world. Determining if a modem not on the Lyrebirds list is vulnerable isn’t easy for average users because it requires them to run This PoC codeagainst the device. Detecting hacked modems is also tough since there are a variety of ways to mask the infection once attackers gain root access on a device.
GIPHY App Key not set. Please check settings