Vulnerable Systems:
* Comcast DOCSIS 3.0 Business Gateway - D3G-CCR Versions prior to 1.4.0.49.2
Immune Systems:
* Comcast DOCSIS 3.0 Business Gateway - D3G-CCR Version 1.4.0.49.2
Finding 1: Static Credentials
-----------------------------
All D3G-CCR gateways provided by Comcast have an administrative login of "mso" with the password of "D0nt4g3tme". These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration.
With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
--------------------------------------------
D3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http.
Finding 3: Weak Session Management
----------------------------------
D3G-CCR gateways provided by Comcast utilize a predictable value to validate the active web management portal session. The epoch time of beginning of the session is stored as a cookie labeled "userid". This provides a predictable range of session IDs that can be brute-forced.
Through this, an attacker can brute-force the possible valid session IDs. Sessions do by default expire within 10 minutes, thus the attack window is limited but can be leveraged with other attack methods.
