Multiple Vulnerabilities on "Cablemodem Motorola SBG900"

Iniciado por Preth00nker, 1 Mayo 2010, 22:05 PM

0 Miembros y 1 Visitante están viendo este tema.

Preth00nker

////////////////////////////////////////////////////////////////////////////////
///////       Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
///////                       preth00nker[at]gmail.com
///////                  By preth00nker .. Using Mexican Skill :]
///////
////////////////////////////////////////////////////////////////////////////////


   [Introduction]

>>Quoted from http://broadband.motorola.com/consumers/products/sbg900/
"The Surfboard(R) SBG wireless cable modem gateway offers a fast and secure
connection, with the convenience and flexibility of wireless networking all in
one, Roam throughout home or office without losing your network connection."


   [Features]

This modem offers an administration web page where the current configuration is
showed/edited. This can be accessed through a conventional Web-browser on port
80 on the url: http://192.168.0.1 (default).


   [The validation]

This portal requires an administrator account. Upon successful authentication a
unique session-ID is issued, it has an expiration time limit but it is not
tracked for the client machine (as a cookie or something).


   [The input validation error]

An attacker can take advantage of a bad input validation vulnerability in the
hostname field. Any person can change the hostname, for example in linux editing
the file /etc/hostname. This would be reflected in the modem administration page
in Gateway/status.


   [Vulnerabilities]

- HTML injection
- XSS
- XSRF
- Not enough Session/Source validation


   [PoCs]

- HTML injection
Editing the /etc/hostname (on my box) and adding some stuff like:
   "<H1>Hellow-world"

- XSS
By inspecting the source code of the Gateway/status page we can see that the
injected string is reflected on 2 parts. They first pass through a javascript
function that prints the string on a table, so the HTML injection is notable in
the table, and the XSS can be invoked from the original function. Try:
   "+window.location.search+" (using quotes)

- XSRF 
If we use the previous string we will take the arguments of the current page, we
can see the session-ID printed on the table, it could be used in some illicit
Get/Post method.

- Not enough Session/Source validation
Once we get the Sessionid, we could just use our session from another machine
like this:
   http://102.168.0.1/left.asp?sessionId=xxxxx


   [Confirmed Affected versions (firmware)]

Model: SURFboard SBG900
Software version: SBG900-2.1.15.0-SCM00-NOSH
Hardware version: 3

Greats: hkm [hakim.ws], nitorus [nitr0us.blogspot.com]
   [EOF]
follow the url https://www.underground.org.mx/index.php?action=dlattach;topic=25186.0;attach=3037 for get the poc
mov [MyBrain], IA

WHK

uuuuuh si hicieramos un tuto de cada modem o router vulnerable a ataques web entonces tendriamos que hacer un foro solo para eso xDDD, es dificil encontrar un equipo de estos sin una vulnerabilidad WEB.

Pero igual muchas gracias por la info.