CVE-2019-19495
Description
The web interface on the Technicolor TC7230 STEB 01.25 is vulnerable to DNS rebinding, which allows a remote attacker to configure the cable modem via JavaScript in a victim's browser. The attacker can then configure the cable modem to port forward the modem's internal TELNET server, allowing external access to a root shell.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Technicolor/TC7230 STEBdescription
- Range: = STEB 01.25
Patches
Vulnerability mechanics
Root cause
"Buffer overflow in the Spectrum Analyzer WebSocket handler allows stack smashing and ROP chain execution."
Attack vector
An attacker uses DNS rebinding to bypass the browser's same-origin policy. The attacker lures a victim to visit a malicious website; the website's DNS name initially resolves to the attacker's server, then later resolves to the modem's internal IP (e.g., 192.168.0.1). The victim's browser then sends a crafted WebSocket request to the modem's Spectrum Analyzer endpoint. This request overflows a buffer on the stack, overwrites the return address, and executes a ROP chain that opens a listening TCP port (1337) on the modem. The attacker then connects to that port and sends a MIPS binary payload that provides an interactive root shell via the modem's eCos shell [ref_id=1].
Affected code
The advisory does not specify exact source files or functions. The vulnerable component is the Spectrum Analyzer web interface of the Technicolor TC7230 cable modem running firmware STEB 01.25 [ref_id=1]. The bug is a buffer overflow triggered via WebSocket requests sent to the modem's internal web server.
What the fix does
No patch is provided in the bundle. The advisory notes that firmware version 50.10.21 or newer on related modems should be secure against the Cable Haunt vulnerability [ref_id=1]. The recommended remediation is to update the modem firmware to a version that properly validates WebSocket frame boundaries and enforces origin checks, preventing the buffer overflow in the Spectrum Analyzer component.
Preconditions
- inputThe victim must visit a malicious website using a browser that supports WebSocket text frames (Firefox is noted as incompatible with the PoC)
- networkThe attacker must control a DNS server that can switch resolution between the attacker's IP and the modem's internal IP
- networkThe victim's browser must have network access to the modem's web interface (typically at 192.168.0.1)
- configThe modem must be running firmware version STEB 01.25 (or another version vulnerable to Cable Haunt)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- cablehaunt.commitrex_refsource_MISC
- github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.