Safety warning: global 1 3. 5 billion to the ARRIS cable modem can be remote attack-vulnerability warning-the black bar safety net

2016-04-15T00:00:00
ID MYHACK58:62201673656
Type myhack58
Reporter 佚名
Modified 2016-04-15T00:00:00

Description

ARRIS SURFboard cable modems to be found in a single security vulnerability, an attacker can remotely attack the world, about 1 3. 5 million of equipment. The security expert David Longenecker explained: ARRIS-formerly Motorola for the production of a very popular cable modem in the presence of a security vulnerability affecting billions of device. This ARRIS SB6141 costs about 7 $ 0 1 5 0 trillion network speed, is the United States network providers are widely used. The attacker can use the ARRIS SURF demodulator vulnerability in remote attack equipment, and control device for up to thirty minutes. There are over 1 3. 5 million devices could be affected. Due to the cross-site request forgery vulnerability exists, an attacker unauthorized remote reboot SURF modem. Longenecker in his blog description:“remote reboot device is a very simple thing, do not even need a password. Modem IP address is fixed, the user cannot change; in addition, the web terminal UI interface does not require authorization validation of the user name and password to access the web interface of the management interface; so in this case by means of a modem cross-site request-forgery vulnerability, a remote attack on the device becomes very easy.” ! Vulnerability: unauthorized login Unauthorized attackers can get into the modem user interface, a local attacker without authorization can also enter the administrator interface 192.168.100.1 to an) “To enter the local network after the restart of the demodulator, resulting in denied access to services becomes simple. Modem restart may be required 3 minutes, but in that 3 minutes, the network will not connect. In addition, some of the network service interruption compared to the sensitive activities, such as long time to download or teleconferencing will be affected and interrupted.“ 192.168.100.1/reset.htm”, the expert adds. ! This means that a local attacker can reset the device, in addition to the local attacker can also use the worker trick victims into clicking on the link below, so as to achieve their purpose. http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+the Defaults Modem rebooting is a long process, may take up to half an hour, and in some aspects some of the time even need the ISP support in order to return to normal. Vulnerability two: cross-site request forgery Longenecker in the SURF to adjust the demodulator also found a second piece vulnerability--CSRF is. An attacker can exploit this vulnerability when no logged in to the device user interface of the case issued the above instructions. “In this case, the user can login to the admin interface, after clicking on the link to restart the device. This article from the management interface to issue the instruction will not be identified. A request from an internal instruction issued cannot be identified, and therefore the presence of cross-site possibilities.” Did you know that the browser does not care about the image whether the file is really in the picture. So while it is easy to through a picture file to reset the modem, the POC is as follows: http://192.168.100.1/reset.htm”> Of course, this is not a real picture, and the browser also does not know that it is not a picture. So the browser will continue through the modem request to browse to the picture file, and therefore cause the demodulator of the restart. The good news is that the vulnerability is very easy to repair, the manufacturer just released some firmware updates will solve the modem reboot, not authorization, authentication and cross-site request forgery issues. The bad news is that the end user is unable to independently upgrade the device, so this burden naturally falls on the ISP.