[Developing] Broadcom modems susceptible to hijacking via buffer overflow

[rcmaehl]

Source:

ZDnet

Reddit
Mitre CVE

CableHaunt

 

Summary:
A buffer overflow in modems running Broadcom based software reportedly allows an attacker to hijack consumer modems over the internet. Broadcom has since patched the vulnerability, but it is not yet known if ISPs have pushed patches.

Quotes/Excerpts:

Quote

Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to gain complete control of a cable modem. The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem. An estimated 200 million modems may be or might have been vulnerable in Europe alone. However it is very hard to give a precise estimate. The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware. This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers. 

Once control has been achieved by an attacker, it can be abused in many ways. Some examples are:
 

• Change default DNS server
• Conduct remote man-in-the-middle attacks
• Hot-swap code or even the entire firmware
• Upload, flash, and upgrade firmware silently
• Disable ISP firmware upgrade
• Change every config file and settings
• Get and Set SNMP OID values
• Change all associated MAC Addresses
• Change serial numbers
• Be exploited in botnet

 

Technical:

Spoiler

Cable Haunt targets a vulnerable middleware running on the chip, which is used in many cable modems all over the world. The Broadcom cable modem middleware (CM) is a real-time operating system, which runs all networking tasks, such as DOCSIS Protocol, IP-stack etc. Along with the Broadcom middleware there usually exists a separate subsystem in the architecture, which is responsible for various things depending on the manufacture. The CM handles all of the networking protocols and the connecting to the CMTS, including firmware upgrades and keeping track of dynamic settings such as BPI+ and DOCSIS. The CM run on a embedded multi-threaded operating system called eCos, which is widely used in embedded networking products. This OS separate applications into tasks with fixed maximum stack size of each thread and applications can use malloc to alocate space on the heap. Applications are compiled directly into the .text part of the OS it self, meaning that the application layer is directly a part of the OS. This OS employs few protections against potential exploits eg. no Address space layout randomization (ASLR), not protection against stack smashing, allowing stack execution etc. The specific target of this exploit, is the tool called the spectrum analyzer, which can be exploited through a buffer overflow. The intended purpose of the spectrum analyzer is to identify potential problems with the connection through the cable, such as interference. Requests to the spectrum analyzer is sent as JSON through a websocket. However, the JSON deserializer used in the spectrum analyzer, allocates a predefined amount of memory for each parameter, but will keep reading input parameters until a comma (,) is reached. This can be exploited with a malicious request. The CM architecture saves called registers on the stack and restores these before returning. Therefore, if we overwrite the variable registers S0-S7 and the return address register saved on the stack, we can run any existing code in the system, with our desired input variables. Through return oriented programming we are able to execute existing code on the system in a turing-complete manner and manipulate the system extensively. This can be used to open a telnet server for external root access to the CM, allowing remote access to the system. The CM itself is not exposed directly to the internet, and can only be accessed from within the local network. This should not be considered a security measure, as the local network is not always protected. Cable Haunt gains access to the local network, by having the victim execute malicious code in their browser. While cross-origin resource sharing (CORS) rules usually prevents this attack, all cable modems listed...were found vulnerable to DNS Rebinding attacks and direct javascript requests.

 

My Thoughts:
A pretty rough attack. Even my own modem is running the OS mentioned in the article. However it doesn't seem I have the application easily accessible and thankfully the brand of modem I use has randomized passwords. Regardless, this could easily affect millions of people. 

Edited January 10, 2020 by rcmaehl
Add ZDNet

[TempestCatto]

Something connected to the internet being vulnerable? What else is new

[williamcll]

Would this be vulnerable to motherboards with Broadcom chips? 

[rcmaehl]

4 hours ago, williamcll said:

Would this be vulnerable to motherboards with Broadcom chips? 

No. This exploit is within the Broadcom Spectrum Analyzer application within modems. It's extremely unlikely Broadcom is including Coax diagnostic software in Windows Ethernet chipset drivers

[ARikozuM]

I wonder how long it'll be until security is taken seriously among the hardware vendors. It's not like black/white hats find the exploits out of the goodness of their hearts. 

Spoiler

#BountyProgram

 

[Vacras]

5 hours ago, ARikozuM said:

I wonder how long it'll be until security is taken seriously among the hardware vendors. It's not like black/white hats find the exploits out of the goodness of their hearts. 

  Reveal hidden contents

#BountyProgram

 

This is a software problem. There have been and always will be bugs within software leading to these exploits. It’s up to the manufacturers to fix these error asap though. 

[Zanderdk]

Hi rcmaehl,

Are the randomized password you talk about for the admin panel of the modem because this vulnerability dosen't care about that password it still works. If the spectrum analyzer (a diagnostic tool) is running on your modem you are probably vulnerable. 

The spectrum analyzer may be password protected but i is usually a default username and password like spectrum:spectrum or admin:password is used. The spectrum analyzer is usually running on http://192.168.100.1:8080, http://192.168.0.1:8080 or http://192.168.100.1:6080 or something like that. 

You can use nmap -p- 192.168.100.1 to port scan or use this tool to check: https://github.com/Lyrebirds/cable-haunt-vulnerability-test.

 

[rcmaehl]

1 hour ago, Zanderdk said:

Hi rcmaehl,

Are the randomized password you talk about for the admin panel of the modem because this vulnerability dosen't care about that password it still works. If the spectrum analyzer (a diagnostic tool) is running on your modem you are probably vulnerable. 

The spectrum analyzer may be password protected but i is usually a default username and password like spectrum:spectrum or admin:password is used. The spectrum analyzer is usually running on http://192.168.100.1:8080, http://192.168.0.1:8080 or http://192.168.100.1:6080 or something like that. 

You can use nmap -p- 192.168.100.1 to port scan or use this tool to check: https://github.com/Lyrebirds/cable-haunt-vulnerability-test.

 

 

Thanks for the tool. This wasn't available 24 hours ago. My modem is pretty locked down according to nmap. Only port 80 once live, but several ports are open during the boot process (including ssh, and telnet). I'll definitely do some additional testing this evening.

[rcmaehl]

1 minute ago, comander said:

For the record... this is a lot of people. 
The SB6183s I got both of my parents are affected. This'll be fun... no idea if it's automatically patched by the ISP or if I have to do something. 

If your ISP is appropriately applying patches to their version of the software running on it then you should be fine as Broadcom reportedly patched when initially disclosed to them. Which ISPs properly update their modems is yet to be seen.

[Evanair]

Is it bad that I read this and my first thought was... "Who the hell still uses dialup"

 

Yeah it clicked a second later but still...

[Zanderdk]

On 1/10/2020 at 8:29 PM, comander said:

For the record... this is a lot of people. 
The SB6183s I got both of my parents are affected. This'll be fun... no idea if it's automatically patched by the ISP or if I have to do something. 

Can you write a email to me Alexander Krog at akrog(at)lyrebirds(dot)dk (Author of the exploit  ) with the following information:

ip and port to access spectrum analyzer

sw version of SB6183

ips and contry

Thank you very much