module
Arris / Motorola Surfboard SBG6580 Web Interface Takeover
| Disclosed | Created |
|---|---|
| 2015-04-08 | 2018-05-30 |
Disclosed
2015-04-08
Created
2018-05-30
Description
The web interface for the Arris / Motorola Surfboard SBG6580 has
several vulnerabilities that, when combined, allow an arbitrary website to take
control of the modem, even if the user is not currently logged in. The attacker
must successfully know, or guess, the target's internal gateway IP address.
This is usually a default value of 192.168.0.1.
First, a hardcoded backdoor account was discovered in the source code
of one device with the credentials "technician/yZgO8Bvj". Due to lack of CSRF
in the device's login form, these credentials - along with the default
"admin/motorola" - can be sent to the device by an arbitrary website, thus
inadvertently logging the user into the router.
Once successfully logged in, a persistent XSS vulnerability is
exploited in the firewall configuration page. This allows injection of
Javascript that can perform any available action in the router interface.
The following firmware versions have been tested as vulnerable:
SBG6580-6.5.2.0-GA-06-077-NOSH, and
SBG6580-8.6.1.0-GA-04-098-NOSH
several vulnerabilities that, when combined, allow an arbitrary website to take
control of the modem, even if the user is not currently logged in. The attacker
must successfully know, or guess, the target's internal gateway IP address.
This is usually a default value of 192.168.0.1.
First, a hardcoded backdoor account was discovered in the source code
of one device with the credentials "technician/yZgO8Bvj". Due to lack of CSRF
in the device's login form, these credentials - along with the default
"admin/motorola" - can be sent to the device by an arbitrary website, thus
inadvertently logging the user into the router.
Once successfully logged in, a persistent XSS vulnerability is
exploited in the firewall configuration page. This allows injection of
Javascript that can perform any available action in the router interface.
The following firmware versions have been tested as vulnerable:
SBG6580-6.5.2.0-GA-06-077-NOSH, and
SBG6580-8.6.1.0-GA-04-098-NOSH
Author
joev joev@metasploit.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.