Re: RCA cable modem Deny of Service

From: Mario Lorenz (mlat_private)
Date: Wed Mar 27 2002 - 12:38:16 PST

Next message: Eric Budke: "Citrix Nfuse directory traversal with boilerplate.asp"

Previous message: martin f krafft: "Re: DoS in debian (potato) proftpd"
In reply to: Gabriel A. Maggiotti: "RCA cable modem Deny of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Problem:
> -------

[...]
>         If you   connect to the second device  (10.x.x.x) on port 80,  RCA cable
> modem reset the user connection with inet. I proved it with my own wan ip 10.1.1
> .x and with other  cablemodem users  IP's in the same wan.   All of  them  reset
>  when I remotly  connect to port 80 of the cablemodems.

This is probably more a software bug or an annoyance than a DOS vulnerability.
You should not be allowed connect to the 10.x.x.x IPs anyway. Your Provider
can fix this with a simple filter rule either provisioned into each cable
modem or on the CMTS. It has always been good practice to separate Customer
networks and Management networks (to which the 10.x.x.x Modem IP's belong).
That is not cable modem specific. Write an advisory about your Cable Provider
lacking proper security measures, not about the cable modem :)

> 2-  Leak of Information:
>      I can connect to the wan IP 10.x.x.x of any cablemodem user in my node,
> and take a look at the users cablemodem status information such as:
[...]

a) see above, about filters to management networks
b) the information is hardly critical. It basically tells that you have a
   perfect connection.

>      I can search in MIB table looking for my node server. I know that  the
> node IP start with 10.x.x.x and I started to search in the MIB  Ops, a found
> it!
> 
> 69.1.4.2.0 = IpAddress: 10.20.250.1
> 69.1.4.3.0 = IpAddress: 10.20.250.1
> 69.1.4.4.0 = IpAddress: 10.20.250.1
> 69.1.4.5.0 = "docsis_light_avalos"
> 
>         And then I recognize the word "avalos" becouse is the name of the street
> where the node fisicaly is.

Your Cable Provider did a) not separate the management network and b)
left the SNMP community strings at its defaults. There is nothing the Cable
Modem can do about. 

To summarize: Your "advisory" shoots the poor messenger, ie. your cable modem,
when your Cable Provider should be, uhm, well, I guess dropping him a note
should be sufficient :)

Mario
-- 
Mario Lorenz                            Internet:    <mlat_private>
                                        Ham Radio:   DL5MLO@OK0PKL.#BOH.CZE.EU
 "I hear that if you play the NT 4.0 CD backwards, you get a Satanic message!"
 "That's nothing. If you play it forward, it installs NT 4.0!"

Next message: Eric Budke: "Citrix Nfuse directory traversal with boilerplate.asp"
Previous message: martin f krafft: "Re: DoS in debian (potato) proftpd"
In reply to: Gabriel A. Maggiotti: "RCA cable modem Deny of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 07:10:28 PST