Vulnerability Development mailing list archives
RE: DOCSIS vulnerability
From: "Chris Chandler" <chandlerchrisc () earthlink net>
Date: Tue, 12 Mar 2002 06:16:43 -0500
This is not entirely true. I have only seen a few instances of it actually working with Some Cybersurfer modems, mainly the SB 3100 and SB 4100. It does NOT always work, I know I have tried it, the whole spiel of creating the specific binary and key files for it then doing the reset and what have you. While I have seen this work on a few, I have a DOCSIS modem and it doesn't work. Chris Chandler MCSE 2000, A+, Network +, MCP-I -----Original Message----- From: Matthew S. Hallacy [mailto:poptix () techmonkeys org] Sent: Monday, March 11, 2002 10:55 PM To: vuln-dev () securityfocus com Subject: DOCSIS vulnerability Hi, Apparently this isn't bugtraq worthy (my posts weren't rejected, they were simply deleted), so I'll send it here. --- Pre-ramble: I've been debating this for a while, but now I'm sufficiently agitated by dishonest cable ISP's to post it. Background: DOCSIS was created to be a standard for data over cable systems so that a cable modem that worked on one system would work just as well on the next, this brings down hardware costs, as well as training costs. Basicly you plug the cable modem in, it acquires a data path to the ISP's hardware, and sends a BOOTP request. The BOOTP reply that it recieves contains a few items, a syslog server, a tftp server, a time server, and a config file to download from the TFTP server. Until now everyone has claimed that it's impossible to disrupt this, 6 months ago I found a way to. Ramifications: Everything from 'uncapping' your cable modem to being able to destroy the cable network you're connected to, this is how cable companies rate limit their customers, it's how they keep their customers DHCP servers from replying to DHCP requests from other customers, it's also how they block everything from netbios to web servers. this is also the method used to restrict customers to a certain number of IP addresses. Details: It's a simple attack, while the modem is booting it looks for the address of the TFTP server, simply assaign that address to your system and ping the cable modem on its management address (usually 192.168.100.1). It will then connect to your machine to download the TFTP configuration file. This is known to work on the following models: Motorola (all models) 3Com Sharkfin Toshiba PCX 1100 This is known to NOT work on these models: RCA DCM235 3Com CMX Copyright: If you're redistributing this, keep it intact. (c) 2002 Matthew S. Hallacy
Current thread:
- DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Mark (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Dave Ahmad (Mar 12)
- Re: DOCSIS vulnerability Laurence Brockman (Mar 12)
- <Possible follow-ups>
- RE: DOCSIS vulnerability Rense Buijen (Mar 12)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Rob Koliha (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 13)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability dana shetterly (Mar 19)