exploit the possibilities

ARRIS SURFboard 6141 Modem Denial Of Service

ARRIS SURFboard 6141 Modem Denial Of Service
Posted Apr 5, 2016
Authored by David Longenecker

ARRIS SURFboard 6141 broadband cable modems suffer from a cross site request forgery vulnerability that allows an attacker to force a reboot.

tags | advisory, csrf
MD5 | 41e06da698d6ea142cc66aa52be28084

ARRIS SURFboard 6141 Modem Denial Of Service

Change Mirror Download
ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems, with the
latest firmware deployed by Time Warner Cable, have a LAN-side web UI with
a fixed IP address, that does not require authentication, and a cross site
request forgery vulnerability through which it is possible to reboot the
modem with one click.

It is also possible to factory reset the modem with a simple
unauthenticated URL. This causes a longer outage while the modem
renegotiates with the ISP - which can in certain cases even require calling
the ISP to initiate the reactivation.

The vendor describes the SB6141 as the "#1 selling modem," with over 135
million units sold. However, MITRE informed me that this product line is
current not in scope for CVE assignment, so there is no CVE identifier for
these vulnerabilities.

The following proof of concept website includes the reboot command as the
src attribute to an img tag. As such, VISITING THIS POC LINK WILL REBOOT
THE LOCAL CABLE MODEM:

http://RebootMyModem.net

Caveats: this flaw affects the consumer-oriented, LAN-side administrative
interface, which only supplies diagnostic data and logs, along with reboot
and factory reset functions. This is NOT the ISP-oriented, WAN-side
interface. This has been demonstrated on a SURFboard 6141 modem running
SB_KOMODO-1.0.6.14-SCM01-NOSH, the current firmware deployed to Time Warner
Cable customers. Other models and other ISPs may or may not have the same
design flaw.

Details, screen shots of the UI as it is intended to be used, suggested
iptables rules to limit exposure, and a complete disclosure timeline are at
the following link (without exploitation):

http://www.securityforrealpeople.com/rebootmymodem


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close