Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices.
The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem’s cshell service and take a leisurely walk through most of the devices’ controls and levers.
“The username for this access is remotessh and the password is 5SaP9I26”, Nomotion states.
The shell’s capabilities include “viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet” – and there’s also access to a kernel module “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”
That last isn’t in use in the modem, Nomotion’s Joseph Hutchins writes – but the code is present and vulnerable.
The modems in question are the Arris NVG589 and NVG599, which Nomotion notes are provided as standard customer premises equipment for AT&T U-verse customers.
The bugs could have been added by AT&T, the report says, since while “examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).”
The cshell runs as root, which means any other possible exploit is also trivial to exploit. For example, he provides a demonstration of a command injection using its ping functionality.
Source: The Register