It would appear that these vulnerabilities were disclosed a few years ago (CVE-2008-2002 and CVE-2006-5196), but my relatively new (1-2 years) Motorola Surfboard SB5101U (verified against both the 101 and 101U), loaded with SB5101NU-18.104.22.168-GA-00-388-NOSH, appears to be vulnerable to the same CSRF’s exposed prior. With no authentication system in place at all, it would appear that a local DoS is not much of a concern to them. It’s interesting that, despite the sudden flood of discovered vulnerabilities in routers, nobody is really taking a look at the other piece of hardware between you and the ISP. As I poked about this modem, I discovered a few other interesting things.
First, here’s the POST to reset the modem to factory defaults:
This can be fixed by simply restoring the configuration to the factory default through the web interface. However: with an incomplete HTTP HEAD request, we can completely DoS the web server rendering any attempt to access it from the local network moot. The code:
Because the web server does not have the entire request, it waits for it in another packet. Which, of course, never arrives. We can test this by removing the Content-Length field, which will automatically then close the socket. Between these two vulnerabilities, the modem is essentially rendered useless until hard booted.