No announcement yet.

[Developing] Broadcom modems susceptible to hijacking via buffer overflow


  • [Developing] Broadcom modems susceptible to hijacking via buffer overflow



    Mitre CVE




    A buffer overflow in modems running Broadcom based software reportedly allows an attacker to hijack consumer modems over the internet. Broadcom has since patched the vulnerability, but it is not yet known if ISPs have pushed patches.



    Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to gain complete control of a cable modem. The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem. An estimated 200 million modems may be or might have been vulnerable in Europe alone. However it is very hard to give a precise estimate. The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware. This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers. 

    Once control has been achieved by an attacker, it can be abused in many ways. Some examples are:

    • Change default DNS server
    • Conduct remote man-in-the-middle attacks
    • Hot-swap code or even the entire firmware
    • Upload, flash, and upgrade firmware silently
    • Disable ISP firmware upgrade
    • Change every config file and settings
    • Get and Set SNMP OID values
    • Change all associated MAC Addresses
    • Change serial numbers
    • Be exploited in botnet




    Cable Haunt targets a vulnerable middleware running on the chip, which is used in many cable modems all over the world. The Broadcom cable modem middleware (CM) is a real-time operating system, which runs all networking tasks, such as DOCSIS Protocol, IP-stack etc. Along with the Broadcom middleware there usually exists a separate subsystem in the architecture, which is responsible for various things depending on the manufacture. The CM handles all of the networking protocols and the connecting to the CMTS, including firmware upgrades and keeping track of dynamic settings such as BPI+ and DOCSIS. The CM run on a embedded multi-threaded operating system called eCos, which is widely used in embedded networking products. This OS separate applications into tasks with fixed maximum stack size of each thread and applications can use malloc to alocate space on the heap. Applications are compiled directly into the .text part of the OS it self, meaning that the application layer is directly a part of the OS. This OS employs few protections against potential exploits eg. no Address space layout randomization (ASLR), not protection against stack smashing, allowing stack execution etc. The specific target of this exploit, is the tool called the spectrum analyzer, which can be exploited through a buffer overflow. The intended purpose of the spectrum analyzer is to identify potential problems with the connection through the cable, such as interference. Requests to the spectrum analyzer is sent as JSON through a websocket. However, the JSON deserializer used in the spectrum analyzer, allocates a predefined amount of memory for each parameter, but will keep reading input parameters until a comma (,) is reached. This can be exploited with a malicious request. The CM architecture saves called registers on the stack and restores these before returning. Therefore, if we overwrite the variable registers S0-S7 and the return address register saved on the stack, we can run any existing code in the system, with our desired input variables. Through return oriented programming we are able to execute existing code on the system in a turing-complete manner and manipulate the system extensively. This can be used to open a telnet server for external root access to the CM, allowing remote access to the system. The CM itself is not exposed directly to the internet, and can only be accessed from within the local network. This should not be considered a security measure, as the local network is not always protected. Cable Haunt gains access to the local network, by having the victim execute malicious code in their browser. While cross-origin resource sharing (CORS) rules usually prevents this attack, all cable modems listed...were found vulnerable to DNS Rebinding attacks and direct javascript requests.


    My Thoughts:

    A pretty rough attack. Even my own modem is running the OS mentioned in the article. However it doesn't seem I have the application easily accessible and thankfully the brand of modem I use has randomized passwords. Regardless, this could easily affect millions of people. 

      Posting comments is disabled.



    Article Tags


    Latest Articles