I have no idea if this went out somehow, but here it is. I completely apologize if this has been posted in the past. This is the second time I post this one on Bugtraq. It didn't get through for an unknown reason and there aren't any records about it on the SecurityFocus website so I guess it was never posted. The advisory is also available in Word and HTML format at: http://lag.securinet.qc.ca/papers.html David -- Lag Security Advisory Com21 cable modem configuration file feeding vulnerability Release date: November 1, 2002. Vulnerability discovery date: Over six (6) months ago. .systems affected. All Com21 DOXport 1110 cable modems with software version 2.1.1.106. Version 2.1.1.108.003 appears not to be vulnerable. Please note that this vulnerability might affect other vendors’ cable modems. In fact, all cable modems trying to contact a TFTP server on the cable-side of the user are vulnerable. .overview. It is possible for an end-user to feed the cable modem with its own configuration file, and thus, specifying the number of CPE, download/upload speeds, and a few other options. .impact. Well, obviously, the user could have access to features that he does not pay for. .solution. Upgrading the software to version 2.1.1.108.003 or any other software version that is not vulnerable. .complete description. With a given program, an end-user is able to create cable modem configuration files following the DOCSIS standard. With a vulnerable Com21 cable modem, the user can create a TFTP, DCHP and BOOTP server to successfully feed the cable modem with its own configuration file. I used a program called docsis (http://docsis.sourceforge.net/) to first create the configuration file. Then, I used tcpdump (http://www.tcpdump.org/) to capture packets from the wire to discover what boot options were required for my cable modem. I also used an SNMP client to discover the internal IP of my cable modem from the main router. Knowing this, I was also able to view the cable modem web page as well as change SNMP options. With all this load of information, I created a DHCP server (I also added an IP alias to my Ethernet card so that it could give the internal IP to the cable modem), a BOOTP server and finally a TFTP server. After a couple of hard reboots of my cable modem, I could see in my TFTP server logs that the device download its configuration file from my server. I then tried to access the Internet and it worked as normally. .conclusion. Many Internet providers offering cable modem access to the Internet appears not to be aware of those vulnerabilities. I supplied a detailed description of how to exploit the problem for the users to help their network administrators to fix the problem. And as always, if you make crazy things out of this, I am in no way responsible for all your problems.
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 10:19:18 PST