Posted on Tuesday, January 14 2020 @ 10:49 CET by Thomas De MaesschalckVarious modems are affected, including the Sagemcom F@st 3890, Sagemcom F@st 3686, Technicolor TC7230, Netgear C6250EMR, and Netgear CG3700EMR. The Compal 7284E and Compal 7486E, as well as other model with a spectrum analyzer server may also be vulnerable.
The attack can be performed remotely by luring a victim to a webpage that served a malicious JavaScript. There are at least two ways to exploit it, either by causing the browser to connect to the modem, or if that doesn't work, by doing a DNS rebinding attack.
Once infected, attackers can snoop on unencrypted data, mess with your DNS settings, install new firmware on the modem, enroll you into a botnet, etc.
The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt uses return oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.Unfortunately, it's not easy to check if your device is vulnerable to Cable Haunt. Additionally, it's hard to detect an infection as there are various ways to mask this. At the moment, there's no patch.
Once attackers exploit the vulnerability, they send commands to the modem's telnet server to install a reverse shell. From there, attackers can do all kinds of things, including changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.
