Experts discovered easily exploitable flaws in Arris modems distributed by AT&T

Pierluigi Paganini September 01, 2017

Arris modems, routers, and gateways distributed by AT&T’s U-verse service are affected by easy to exploit vulnerabilities.

The vulnerabilities have been reported by researchers at security consultancy Nomotion. The support interfaces are easily accessible over SSH and remote and local attackers could exploit hidden services to hack into the devices.

Experts from Nomotion publicly disclosed the issues and highlighted that ISPs are responsible for ensuring the security of their consumers.

The most important issue of the discovered ones affects the firmware update 9.2.2h0d83 for NVG589 and NVG599 Arris modems,

NVG589 arris modems

The issue enables SSH by default, the firmware also includes hardcoded credentials that allow anyone access to the cshell service on the modems.

“It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem’s “cshell” client over SSH.” reads the report published by Nomotion.”The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”

The cshell binary is running as root, this means that any exploitable command, injection vulnerability or buffer overflow will give the allow the attacker to gai a root shell on the device.

Fortunately, the researchers estimate that only 15,000 hosts are vulnerable.

The flaws could be exploited by hackers to recruit affected devices in a botnet that can power several illegal activities.

Experts from Nomotion also found default credentials on the NVG599’s caserver HTTPS server running on port 49955, and a command injection vulnerability in the same webserver.

Below an excerpt from the report about  Command Injection “caserver” https server NVG599.

“Caserver is an https server that runs on port 49955 of affected devices (which seems to only be the NVG599 modem). The caserver script takes several commands, including:

  • Upload of a firmware image
  • Requests to a get_data handler which enumerates any object available in its internal “SDB” databases with a lot of fruitful information
  • Requests to a set_data command which allows changes to the SDB configuration” 

Querying both Shodan and Censys search engines, the experts discovered 220,000 Arris modems vulnerable to this bug.

The experts also discovered an Information disclosure vulnerability in a service running on port 61001 /hardcoded credentials

A separate information disclosure vulnerability in a service running on port 61001 that could be exploited by attackers who know the serial number of the device.

The last bug in the Arris modems is a Firewall bypass that potentially affects all AT&T devices with port 49152 open for remote access and support.

“This program takes a three byte magic value “\x2a\xce\x01” followed by the six byte mac address and two byte port of whichever internal host one would like to connect to from anywhere on The Internet! What this basically means is that the only thing protecting an AT&T U-verse internal network device from The Internet is whether or not an attacker knows or is able to brute-force the MAC address of any of its devices!” continues the analysis.

Experts believe the service was implemented to allow AT&T to connect to the AT&T issued DVR devices which reside on the internal LAN.

“Added to the severity is the fact that every single AT&T device observed has had this port (49152) open and has responded to probes in the same way.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Arris modems, AT&T)

[adrotate banner=”12″]



you might also like

leave a comment