just on the topic of cable modems.... Iv'e been watching for a long while now a certain packet i cant shake on my firewall i dont have the logs with me but iv'e been watching it for months now and i can almost sing along with it.. it relates the the idea of "If you can figure out what this network is" modem "docsis" "telstra bigpong/d advance" sydney australia, newtown ip 203.45.9x.xx firewall eth0=int eth1=ext incomming packet proto #2(igmp) on eth1 DENY ip 10.61.5.1:65535 d-ip 24.0.0.1:65535 (rule #1) various others from time to time include a sport 68 dport 67 dhcp reqest to the eth1 and sometimes a icmp sport 8 dport 0 in eth1 the first of the series happens every 60secs non stop for the last 3-4 months i figure its goto be telstra no other person would be so stupid (other then an auto script) its deny'd by us but i firgure if its also hitting out DMZ then its hitting the whole cable net i have called telstra and asked thier helpdesk but i may as well have asked my mum how to upgrade my Os or bios.. for all it did and have also scanned the ip and traced it (scan came up with nothing, trace says 1 hop :) any thoughts ????? ill send the log snipits in tomorow ___________________________________________________________ Neil McCallum | Ph +61-2-9452-9064 Network Administrator | Fax +61-2-9452-9800 Fujitsu Australia Limited | Email neil.mccallumat_private 14 Rodborough Road, | French's Forest. NSW. 2086 | Mobile 0410-472-086 Australia | +61-410-472-086 ___________________________________________________________ -----Original Message----- From: russi [mailto:rusko5at_private] Sent: Monday, 30 April 2001 12:13 PM To: VULN-DEVat_private Subject: Re: Hijack IP Address using cable modem any info on com21 or rca cable modems? also, wouldnt it be possible to put a cable in between two cable modems and hook up a box to one of them and switch the other on and watch what it transmits over the cable? pavel ----- Original Message ----- From: "Rev. Chris Cappuccio" <chrisat_private> To: <VULN-DEVat_private> Sent: Sunday, April 29, 2001 12:36 AM Subject: Re: [VULN-DEV] Hijack IP Address using cable modem > On Sat, 28 Apr 2001, Rajkumar S. wrote: > > | Any one with any experience with this OS. Some bugs are bound to occur. > > The Surfboard OS is VxWorks, it seems to be used in many smaller devices that > need an IP stack. > > The web server on the Motorola (formerly General Instruments) Surfboard > (2000?)/3000/4000 series give plenty of information about the internal IP > address scheme for the provider's Hybrid Fiber-Coax network, as well as the > features of the modem. One interesting piece of information is the TFTP > server which the modem grabs its configuration file from and that file name. > All DOCSIS cable modems seem to grab a configuration file that is around 120 > bytes in size, and although I have not studied the DOCSIS specification > closely, I believe this at least tells the modem what uplink and downlink > speeds to operate at. It must also tell the modem other parameters to use on > the cable network. Most providers appear to use a generic configuration file > for many customers. > > Further, DOCSIS cable providers use an internal IP address scheme strictly > for addressing Hybrid Fiber-Coax connected devices like the cable modems and > bridges. If you can figure out what this network is, for instance from the > information provided from the web server on your Surfboard, you can talk to > any cable modem on your network. > > This in itself is an interesting security hole from the idea that you can do > extensive information gathering, not from other modems' web servers, but from > SNMP. Install ucd-snmp and try snmpwalk 192.168.100.1 public ! You can get > most, if not all, of the information that the Surfboard's web server will > give you, plus a lot more. I've only used the web server on the Surfboard. > Other modems, like the ever popular Toshiba, still give out extensive > information via SNMP. It must be hard (read: impractical) for cable vendors > and providers to secure SNMP over a wide deployment, so this doesn't seem all > that unusual. But, keep in mind, providers use SNMP for a wide variety of > tasks to manage the modem, and they use information from the modem to manage > the network. > > For anyone who wants to play with their Motorola Surfboard, just add an IP > alias on your system as 192.168.100.xx (except .1) and connect to > 192.168.100.1 to check out the modem. You don't even have to add the alias, > the Surfboard seems to intercept outgoing connections to 192.168.100.1 > regardless of the MAC address they are intended for. But, I don't know how > reliable this is. > > It is of course possible that the Surfboard or other cable modems may be > vulnerable to some kind of problems where an intruder could change settings > or even load up new firmware. I think it is likely that they are vulnerable > to some DoS attacks, I am thinking along the lines of nuke, teardrop, etc. > Because of the wide open nature of SNMP on these cable modems (e.g. you most > likely can talk to any cable modem in your area with SNMP if you are on one), > I do not think very highly of the general security here. Actually, that > would be understating my opinion. On the positive side, the Surfboard in > particular does not respond to IP connections coming in to its hybrid > fiber-coax IP on the web server port, but it does respond to SNMP. I think > this is specified in DOCSIS. > > Motorola's security policy to handle this area is the same (FAILED) policy it > used with its cell phones. Only make modem management information available > to 'registered users', the cable companies. Motorola has a web site which > you can download detailed manuals for the Surfboard, but you have to sign up > and match a registered customer. This policy failed with the cell phones, > because the information on how to access the internal/debugging features of > their cell phones was leaked, and that was only in between the times when > 'unregistered' users were getting the information directly from Motorola, > after paying lip service to Motorola on their status or intended usage. > > I have only glanced at the (freely available online at cablelabs.com) > specifications for DOCSIS. I don't know how it works in terms of security or > encryption. I wonder how much is left up to the user (cable modem) versus > the head end. I imagine that, with more information from Motorola on how to > access the modem, you could manipulate the speeds that your modem runs at, > and possibly gain control of the cable network in other ways that are clearly > not intended for the end user. Cable looks like a can of worms, just like > cell phones, and the vendors should be held responsible. Stop-gap measures > like limiting access to the manuals are poor bandaids to more serious > problems. > > If you are going to play with your modem, look at the information from it > carefully, and keep in mind that your modem has its own MAC address which > identifies to the cable system who you are (matching back from their database > with the MAC) and what config file you get from the TFTP server. > > --- > Rev. Chris Cappuccio > http://www.dqc.org/~chris/ >
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 21:19:00 PDT