what you don't know can hurt you

Scientific Atlanta DPC2100 Cable Modem Cross Site Request Forgery

Scientific Atlanta DPC2100 Cable Modem Cross Site Request Forgery
Posted May 25, 2010
Authored by Dan Rosenberg

The Scientific Atlanta DPC2100 Cable Modem suffers from cross site request forgery and insufficient authentication vulnerabilities.

tags | exploit, vulnerability, csrf
advisories | CVE-2010-2025, CVE-2010-2026
MD5 | bc54b454b787a236cb2a8e47e43a8a32

Scientific Atlanta DPC2100 Cable Modem Cross Site Request Forgery

Change Mirror Download
===============================================================
Scientific Atlanta DPC2100 Cable Modem
Cross-Site Request Forgery and Insufficient Authentication
May 24, 2010
CVE-2010-2025, CVE-2010-2026
===============================================================

==Description==

Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line
of cable modems, which are widely deployed by cable providers, especially for
home usage.  Certain versions of the firmware for the DPC2100 model feature a
web interface that is vulnerable to the following issues.  Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303.  Other
WebSTAR modems and firmware versions may be vulnerable as well.

1. Cross-site request forgery (CSRF).  Several features provided by the web
interface fail to properly establish sessions that restrict access to
authorized users, including forms for changing the administrative password,
resetting the modem, and installing new firmware.  An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction.  This can be used to deny service by resetting
the modem or wiping the firmware, to change the default administrative
password, or potentially to steal information from the victim by installing
malicious firmware.  This issue has been assigned CVE-2010-2025.

2. Insufficient authentication. The modem's access control scheme, which has
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked
before performing operations that should require authentication, including
resetting the modem and installing new firmware. The modem requires the proper
access level to access web interface pages containing forms that allow a user
to perform these actions, but does not properly authenticate the pages that
actually carry out these actions. By sending a POST request directly to these
pages, these actions may be performed without any authentication. Attacks may
be performed by an attacker on the local network or by leveraging the CSRF
vulnerability. This issue has been assigned CVE-2010-2026.

==Identifying Vulnerable Installations==

Most home installations of this modem will feature a web interface that is
accessible at "http://192.168.100.1".  The following proof-of-concept code may
be used to test for vulnerability.  It leverages the CSRF vulnerability to
change the access level of your modem to the most restrictive settings (a
harmless action).  If your modem is vulnerable, then you will be presented with
a message stating that your settings have been successfully updated.  If you
are greeted with a page stating there was a "Password confirmation error", then
your modem password has been changed from the default but you are still
vulnerable.  If you are greeted with an HTTP authentication form or other
message, then your model is not vulnerable.

<html>
<head>
<title>Test for CSRF vulnerability in WebSTAR modems</title>
</head>

<body>

<form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl">
<input type="hidden" name="SAAccessLevel" value="0">
<input type="hidden" name="SAPassword" value="W2402">
</form>

<script>document.csrf.submit()</script>

</body>
</html>

==Solution==

In most cases, home users will be unable to update vulnerable firmware without
assistance from their cable providers.  If your firmware is vulnerable, contact
your cable provider and request a firmware update to the latest version.  For
the DPC2100R2 modems, the latest version string is
dpc2100R2-v202r1256-100324as.

To prevent exploitation of CSRF vulnerabilities, users are always encouraged
to practice safe browsing habits and avoid visiting unknown or untrusted
websites.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).

Thanks to Matthew Bergin for suggesting I should look at cable modems.

==Timeline==

1/26/10 - Vulnerability reported to Cisco
1/26/10 - Response, issue assigned internal tracking number
2/26/10 - Status update requested
2/26/10 - Response
5/15/10 - Status update requested
5/17/10 - Response, confirmation that newest firmware resolves issues
5/17/10 - Disclosure date set
5/24/10 - Disclosure

==References==

CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these
issues.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close