Charter cable networks use 3-com cable modems. Thier modems are configured/viewed via a lightweight webserver that runs on the cable modem. I recieved a copy of the webserver software from the vendor that provides it to 3com but was unable to find any glaring vulnerabilities. However, this appears to be un-neccessary on charter networks. Charter provides addressing via DHCP, but does not lock the IP down to the MAC address of the client. I have tested this on thier network, and arp-reply floods will allow a cable modem user to assume the IP address of another customer. I did not attempt to use this for a MiM attack, but it certainly seems possible. ARP storms are common on Charter's networks. It appears that thier routers do not cash MAC addresses for very long. Of course, that could be a result of everyone's DHCP lease expiring in tandem, but the ARP storms appear to be much more common than the 3 day leases that are assigned. > -----Original Message----- > From: Fred Newtz [mailto:fbnewtzat_private] > Sent: Wednesday, April 18, 2001 11:36 PM > To: VULN-DEVat_private > Subject: Re: Hijack IP Address using cable modem (fwd) > > > I would like to see some of those white papers. I have been > looking for pin > outs for the specific chips on a cable modem, and have only found the > companies web site, never finding anything close to a pin out > list. Of > course, I can understand why that would not be available, but > it has to be > around somewhere. > ----- Original Message ----- > From: <listsat_private> > To: <VULN-DEVat_private> > Sent: Thursday, March 29, 2001 4:26 AM > Subject: Re: Hijack IP Address using cable modem (fwd) > > > > I used to be an @home customer using some CyberSurf cable > modem and I > > looked into the idea of hijacking or spying then. I found > some white > > pages on the modem and the modem turned out to have TONS of security > > crap to prevent any such MAC address spoofing or even > spying as suggested. > > It appeared to me then that the engineers had completely > thought out these > > issues and solved them. So I gave up on the idea. > > > > > > > > > > ---------- Forwarded message ---------- > > Date: Wed, 28 Mar 2001 13:33:34 -0500 > > From: "Williamson, Glenn" <Glenn.Williamsonat_private> > > To: VULN-DEVat_private > > Subject: Re: Hijack IP Address using cable modem > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Whether Patrick was coming from this point of view is beyond me. > > > > You would still have an apparent problem with 2 host machines with > > the same IP address(mac) > > > > 2 exact IP addresses cause a big problem for routers anyways. Who > > ever gets the packet first responds with a syn, if 2 syn's came back > > the the original packet would not understand. > > > > It falls under the handshake that is expected to establish > > communications between 2 different entities, first syn, syn > ack, then > > syn, doesn't work if it goes syn, syn ack - syn ack, syn. > > > > If I'm wrong well that was my 2 cents worth. > > > > And yes was a @home customer for 2 years > > > > > > Glenn > > > > > > - -----Original Message----- > > From: Patrick Patterson [mailto:ppattersonat_private] > > Sent: March 28, 2001 11:31 AM > > To: VULN-DEVat_private > > Subject: Re: Hijack IP Address using cable modem > > > > > > - -----BEGIN PGP SIGNED MESSAGE----- > > > > I think I see where Patrick was coming from with this: > > > > Victim turns on his computer, and gets an IP address > > Cracker, while sniffing the Cable segment notices that IP adress foo > > is > > assigned to MAC bar > > Cracker changes his own MAC address to bar, and brings up IP address > > foo on > > this new MAC address (some Ethernet cards have overwritable MAC > > addresses) > > Since both Cracker and Victim have the same MAC, Cracker get's all > > packets > > for Victims computer, and is able to impersonate victim. > > > > > > This is just a slightly more sophisticated IP Address Spoofing > > attack.... and > > I don't think it will work... > > > > - From what I know of Cablemodem networks, there are > actually several > > parts. > > > > 1: The cable network - the 'Modem' talks to the Cable Company > > terminal > > equipment and ensures that you are a valid subscriber. > > 2: The IP Network - the routers keep track of which IP and > MAC, is on > > which > > Cable Modem - thus making this attack unlikely to succeed.... > > > > I haven't tested this, and might be horribly wrong, but I > don't think > > so - > > this is one of those things that looks better in theory than in > > practice - Is > > anyone from @HOME or ATT around to confirm/deny what's I've written? > > > > On Wednesday 28 March 2001 09:09, Nick Summy wrote: > > > Now I hardly know anything about this subject, so correct me If im > > > wrong, but I have a few questions. > > > > <SNIP> > > > > - - -- > > > > Patrick Patterson Tel: +1 514 485-0789 > > President, Chief Security Architect Fax: +1 514 485-4737 > > Carillon Information Security Inc. E-Mail: ppattersonat_private > > > > - - ----------------- The New Sound of Network Security > > - ----------------- > > << http://www.carillonis.com >> >
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 04:15:00 PDT