About 200 million cable modems hit by remotely exploitable vulnerability

Posted on Tuesday, Jan 14 2020 @ 10:49 CET by Thomas De Maesschalck
ARS Technica warns around 200 million cable modems have a security vulnerability that can be remotely exploited. Called Cable Haunt, the flaw can result in the infection of your cable model simply by visiting a maliciously crafted webpage.

Various modems are affected, including the Sagemcom F@st 3890, Sagemcom F@st 3686, Technicolor TC7230, Netgear C6250EMR, and Netgear CG3700EMR. The Compal 7284E and Compal 7486E, as well as other model with a spectrum analyzer server may also be vulnerable.

The attack can be performed remotely by luring a victim to a webpage that served a malicious JavaScript. There are at least two ways to exploit it, either by causing the browser to connect to the modem, or if that doesn't work, by doing a DNS rebinding attack.

Once infected, attackers can snoop on unencrypted data, mess with your DNS settings, install new firmware on the modem, enroll you into a botnet, etc.
The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt uses return oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.

Once attackers exploit the vulnerability, they send commands to the modem's telnet server to install a reverse shell. From there, attackers can do all kinds of things, including changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.
Unfortunately, it's not easy to check if your device is vulnerable to Cable Haunt. Additionally, it's hard to detect an infection as there are various ways to mask this. At the moment, there's no patch.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments