Título: Multiple Vulnerabilities on "Cablemodem Motorola SBG900" Publicado por: Preth00nker en 1 Mayo 2010, 22:05 pm ////////////////////////////////////////////////////////////////////////////////
/////// Multiple Vulnerabilities on "Cablemodem Motorola SBG900" /////// preth00nker[at]gmail.com /////// By preth00nker .. Using Mexican Skill :] /////// //////////////////////////////////////////////////////////////////////////////// [Introduction] >>Quoted from http://broadband.motorola.com/consumers/products/sbg900/ "The Surfboard(R) SBG wireless cable modem gateway offers a fast and secure connection, with the convenience and flexibility of wireless networking all in one, Roam throughout home or office without losing your network connection." [Features] This modem offers an administration web page where the current configuration is showed/edited. This can be accessed through a conventional Web-browser on port 80 on the url: http://192.168.0.1 (default). [The validation] This portal requires an administrator account. Upon successful authentication a unique session-ID is issued, it has an expiration time limit but it is not tracked for the client machine (as a cookie or something). [The input validation error] An attacker can take advantage of a bad input validation vulnerability in the hostname field. Any person can change the hostname, for example in linux editing the file /etc/hostname. This would be reflected in the modem administration page in Gateway/status. [Vulnerabilities] - HTML injection - XSS - XSRF - Not enough Session/Source validation [PoCs] - HTML injection Editing the /etc/hostname (on my box) and adding some stuff like: "<H1>Hellow-world" - XSS By inspecting the source code of the Gateway/status page we can see that the injected string is reflected on 2 parts. They first pass through a javascript function that prints the string on a table, so the HTML injection is notable in the table, and the XSS can be invoked from the original function. Try: "+window.location.search+" (using quotes) - XSRF If we use the previous string we will take the arguments of the current page, we can see the session-ID printed on the table, it could be used in some illicit Get/Post method. - Not enough Session/Source validation Once we get the Sessionid, we could just use our session from another machine like this: http://102.168.0.1/left.asp?sessionId=xxxxx [Confirmed Affected versions (firmware)] Model: SURFboard SBG900 Software version: SBG900-2.1.15.0-SCM00-NOSH Hardware version: 3 Greats: hkm [hakim.ws], nitorus [nitr0us.blogspot.com] [EOF] follow the url https://www.underground.org.mx/index.php?action=dlattach;topic=25186.0;attach=3037 (https://www.underground.org.mx/index.php?action=dlattach;topic=25186.0;attach=3037) for get the poc Título: Re: Multiple Vulnerabilities on "Cablemodem Motorola SBG900" Publicado por: WHK en 2 Mayo 2010, 04:41 am uuuuuh si hicieramos un tuto de cada modem o router vulnerable a ataques web entonces tendriamos que hacer un foro solo para eso xDDD, es dificil encontrar un equipo de estos sin una vulnerabilidad WEB.
Pero igual muchas gracias por la info. |