On Tue, Mar 26, 2002 at 11:48:16PM -0500, Rob Koliha wrote: > You can do that with any docsis modem.. All of them use the snmp > community 'public' for read/write access.. No... This is not correct. On either point. I'm aware of a number of DOCSIS modems which do not seem to support SNMP at all. They seem to have some web server management interface however. I think someone mentioned to me the Motorola Surfboard in that context but, having no personal first hand experience with the Surfboard, I can not personally confirm that. I was informed of the existance of these ono-SNMP enabled modems when I made similar claims in front of people who have them and have tried to poke at them for SNMP and failed. I only have their word to go on there. Most of the ones that do support SNMP have the "write" community changed to some other string when the modem downloads it's configuration from the head-end via bootp. Of course, it's pretty trivial to look in the SNMP dump from the modem for the IP address of the tftp server and the name of the configuration file and then, from there, download the file and decompile it to determine the write access community name. This much I CAN confirm from personal experience with the Toshiba PCX 1100U on an AT&T Broadband network. > There really isn't any physically identifiying information in a snmp > walk of a modem (or by using docsdiag.jar to do it)... Signal levels, > interface statistics, etc.. You can tell if they're using usb or ether > and you can probably pull the client ip's (CPE's) from the walk.. You can also dump mac addresses and ACLs. If you know someone's real IP address you can identify a modem as belonging to them by the existance of their public IP address in the tables on the modem. This I have done. > The docsis_light_avalos is odd, but I think that it may be the config > file the modem is using or another configuration variable (possibly > specific to the rca?).. It would be pretty crazy if your mso was snmp > writing physically identifying information in every modem! At any rate > that's a problem with your isp, not rca. > Any snmp values that are written are reset when you unplug the modem for > an extended period (15min+) or reset it using a software tool(motorola) > or the physical reset button(toshiba).. > The 10.x.x.x side of the modem is kind of wide open, but it's also > fairly safe because unless you get someone to tell you their modem ip > (or you get it directly from their modem (physically) you don't have any > way to find it out other than guessing (which btw only works if your > both on the same modem network).. Which can be rather large. I can dump the MIB from my son's cable modem from my site and we are on different subnets (in different cities, several miles apart). IOW... If you are on AT&T Broadband, you can pretty much dump the MIB from the cable modem of anyone else on AT&T broadband. That's a pretty big playpen. As the big boys eat the little boys, that playpen gets bigger. As far as guessing goes, there's a pattern to that madness as well at least as far as AT&T goes (and probably others as well). The modem is going to be on the 10.* network so the high octet of the address will be 10. The netmask will be identical to the netmask of public address on your computer interface. The remainder of the network address will be the same between the two devices. Example: Address from dhcp Network Cablemodem subnet 24.98.10.21/22 24.98.8.0/22 10.98.8.0 / 22 The host address field is fed out by dhcp and will be "random" within the subnet and not correlate between the host address of the interface and the host address of the cable modem. Now, you can sniff your interface for ARPs and get a quick idea of your cable modems 10-net address (you will see the head end system broadcasting arp requests and you modem responding) or you can scan the 10-net subnet you know your cable modem is on and look for who is there and who has your cable modems MAC address or your interface IP address. Probing for someone elses cable modem is only slightly more complicated. > It would be fairly simple to develop a tool to find active 10.x.x.x > ranges and then snmp poll every ip in those ranges and compile a list of > internet ip's behind modems.. That might not tell you much as far as > physical location but you could use the information to determine what a > persons modem ip was if you had their real ip and they were on your > modem network.. You can do it with a script. It's trivial. > Another thing with the snmp side is the recent protos snmp test suite.. > _A LOT_ of the modems lockup when you use this tool on the 192.x.x.x or > the 10.x.x.x interface.. It probably wouldn't be hard to make a mass > denial of service attack that would hit all/selected ranges of 10.x.x.x > addresses with the snmp exploit.. This would effectively lock up any > vulnerable modem and would require the user to powercycle to restore > service.. > The main thing to keep in mind is that the 10.x.x.x addy's aren't public > and people outside of your modem network can't communicate with them.. > If anyone turns the above concepts into an exploit I'd appreciate a copy ;) Again, that can be a very VERY large playpen. It's not restricted your colision zone or subnet. > Rob Koliha > HSDT > Charter Communications > Gabriel A. Maggiotti wrote: > > > > >------------------------------------------------------------------------ > > > >------------------------------------------------------------------------------ > >Web: http://qb0x.net Author: Gabriel A. Maggiotti > >Date: March 26, 2002 E-mail: gmaggiotat_private > >------------------------------------------------------------------------------ > > > > > > > > > >General Info > >------------ > >Problem Type : deny of service, misconfiguration and leak of > >information > >Vendor : www.rca.com > >Product : RCA cablemodems > >Model : DCM225 (perhaps others) > >Scope : Remote > >Risk : High > > > > > >Summary: > >------- > > > >The RCA Digital Cable Modem serves as a two-way high-speed bridge between > >your > >personal computer and > >a cable Internet Service Provider (ISP). i It converts > >information that originates from the Internet or your computer into > >electronic > >messages that can be transported over the same wires your cable company > >uses to > >transport video signals. > > > > > >Problem: > >------- > > > >1- Deny of Service: > > > > The RCA cable modem has two devices, the one for local connection is 192 > >.168.100.1 . This device is used for information request about the status > >of > >the cable. The other device is 10.x.x.x and gives the same information. > > If you connect to the second device (10.x.x.x) on port 80, RCA cable > >modem reset the user connection with inet. I proved it with my own wan ip > >10.1.1 > >.x and with other cablemodem users IP's in the same wan. All of them > >reset > >when I remotly connect to port 80 of the cablemodems. > > > > > > > >2- Leak of Information: > > I can connect to the wan IP 10.x.x.x of any cablemodem user in my node,< > >br>and take a look at the users cablemodem status information such as: > > > > USB: Inactive > > Ethernet: 100 > > BaseT > > MAC Address: 00 10 95 0a 05 62 > > User: Active > > Signal Acquired at 573 MHz > > SNR: 36.0 dB > > Received Signal Strength: -4.0 dBmV > > Micro-Reflections: 20 dBc > > Connection: Acquired > > Frequency: 37 MHz > > Power Level: 44.0 dBmV > > Channel ID: 4 > > Number of user conected: 1 > > > > > > > >I can dump user cablemodem MIB's too. > > > > I can search in MIB table looking for my node server. I know that the > >node IP start with 10.x.x.x and I started to search in the MIB Ops, a > >found > >it! > > > >69.1.4.2.0 = IpAddress: 10.20.250.1 > >69.1.4.3.0 = IpAddress: 10.20.250.1 > >69.1.4.4.0 = IpAddress: 10.20.250.1 > >69.1.4.5.0 = "docsis_light_avalos" > > > > And then I recognize the word "avalos" becouse is the name of the street > >w > >here the node fisicaly is. > > > > > >3- Misconfiguration cause you can write my own MIB table. Take a look: > > > ><quote> > >[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public > > > >system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, > >HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS > >2.5.0 > >system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 > >system.sysUpTime.0 = Timeticks: (141857) 0:23:38.57 > >system.sysContact.0 = unassigned sysContact > >system.sysName.0 = > >system.sysLocation.0 = > >system.sysServices.0 = 79 > > > >[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysName.0 s lame > >system.sysName.0 = lame > > > >[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysLocation.0 s > >lame_cyty > >system.sysName.0 = lame_city > > > > > >[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public > > > >system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, > >HW_Version 025 (03.1), SW_Versio > >n ST05.14.00, Bootloader_Ver 11.1, OS: PSOS > >2.5.0 > >system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 > >system.sysUpTime.0 = Timeticks: (161396) 0:26:53.96 > >system.sysContact.0 = unassigned sysContact > >system.sysName.0 = lame > >system.sysLocation.0 = lame_city > >system.sysServices.0 = 79 > ></quote> > > > > > >------------------------------------------------------------------------------ > >research-listat_private is dedicated to interactively researching vulnerab- > >ilities, report potential or undeveloped holes in any kind of computer > >system. > >To subscribe to research-listat_private t send a blank email to > >research-list-subscribeat_private More help available sending an email > >to research-list-helpat_private > >Note: the list doesn't allow html, it will be stripped from messages. > >------------------------------------------------------------------------------ > > > > > -- Michael H. Warfield | (770) 985-6132 | mhwat_private /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 12:55:28 PST