any info on com21 or rca cable modems? also, wouldnt it be possible to put a cable in between two cable modems and hook up a box to one of them and switch the other on and watch what it transmits over the cable? pavel ----- Original Message ----- From: "Rev. Chris Cappuccio" <chrisat_private> To: <VULN-DEVat_private> Sent: Sunday, April 29, 2001 12:36 AM Subject: Re: [VULN-DEV] Hijack IP Address using cable modem > On Sat, 28 Apr 2001, Rajkumar S. wrote: > > | Any one with any experience with this OS. Some bugs are bound to occur. > > The Surfboard OS is VxWorks, it seems to be used in many smaller devices that > need an IP stack. > > The web server on the Motorola (formerly General Instruments) Surfboard > (2000?)/3000/4000 series give plenty of information about the internal IP > address scheme for the provider's Hybrid Fiber-Coax network, as well as the > features of the modem. One interesting piece of information is the TFTP > server which the modem grabs its configuration file from and that file name. > All DOCSIS cable modems seem to grab a configuration file that is around 120 > bytes in size, and although I have not studied the DOCSIS specification > closely, I believe this at least tells the modem what uplink and downlink > speeds to operate at. It must also tell the modem other parameters to use on > the cable network. Most providers appear to use a generic configuration file > for many customers. > > Further, DOCSIS cable providers use an internal IP address scheme strictly > for addressing Hybrid Fiber-Coax connected devices like the cable modems and > bridges. If you can figure out what this network is, for instance from the > information provided from the web server on your Surfboard, you can talk to > any cable modem on your network. > > This in itself is an interesting security hole from the idea that you can do > extensive information gathering, not from other modems' web servers, but from > SNMP. Install ucd-snmp and try snmpwalk 192.168.100.1 public ! You can get > most, if not all, of the information that the Surfboard's web server will > give you, plus a lot more. I've only used the web server on the Surfboard. > Other modems, like the ever popular Toshiba, still give out extensive > information via SNMP. It must be hard (read: impractical) for cable vendors > and providers to secure SNMP over a wide deployment, so this doesn't seem all > that unusual. But, keep in mind, providers use SNMP for a wide variety of > tasks to manage the modem, and they use information from the modem to manage > the network. > > For anyone who wants to play with their Motorola Surfboard, just add an IP > alias on your system as 192.168.100.xx (except .1) and connect to > 192.168.100.1 to check out the modem. You don't even have to add the alias, > the Surfboard seems to intercept outgoing connections to 192.168.100.1 > regardless of the MAC address they are intended for. But, I don't know how > reliable this is. > > It is of course possible that the Surfboard or other cable modems may be > vulnerable to some kind of problems where an intruder could change settings > or even load up new firmware. I think it is likely that they are vulnerable > to some DoS attacks, I am thinking along the lines of nuke, teardrop, etc. > Because of the wide open nature of SNMP on these cable modems (e.g. you most > likely can talk to any cable modem in your area with SNMP if you are on one), > I do not think very highly of the general security here. Actually, that > would be understating my opinion. On the positive side, the Surfboard in > particular does not respond to IP connections coming in to its hybrid > fiber-coax IP on the web server port, but it does respond to SNMP. I think > this is specified in DOCSIS. > > Motorola's security policy to handle this area is the same (FAILED) policy it > used with its cell phones. Only make modem management information available > to 'registered users', the cable companies. Motorola has a web site which > you can download detailed manuals for the Surfboard, but you have to sign up > and match a registered customer. This policy failed with the cell phones, > because the information on how to access the internal/debugging features of > their cell phones was leaked, and that was only in between the times when > 'unregistered' users were getting the information directly from Motorola, > after paying lip service to Motorola on their status or intended usage. > > I have only glanced at the (freely available online at cablelabs.com) > specifications for DOCSIS. I don't know how it works in terms of security or > encryption. I wonder how much is left up to the user (cable modem) versus > the head end. I imagine that, with more information from Motorola on how to > access the modem, you could manipulate the speeds that your modem runs at, > and possibly gain control of the cable network in other ways that are clearly > not intended for the end user. Cable looks like a can of worms, just like > cell phones, and the vendors should be held responsible. Stop-gap measures > like limiting access to the manuals are poor bandaids to more serious > problems. > > If you are going to play with your modem, look at the information from it > carefully, and keep in mind that your modem has its own MAC address which > identifies to the cable system who you are (matching back from their database > with the MAC) and what config file you get from the TFTP server. > > --- > Rev. Chris Cappuccio > http://www.dqc.org/~chris/ >
This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 20:30:28 PDT