Re: 3Com cable modems / Mediaone

[Dorin.Mandachi () COX COM (Mandachi, Dorin (CCI-Omaha))]

the ability to download firmware updates remotely into a cable modem is a
docsis requirement (www.cablelabs.com). the process is supposed to be quite
automatic and seamless to the user.

it usually takes place by the cable operator forcing the modems to
re-register. when a docsis modem tries to register, it sends an arp request
which the cmts (cable modem termination system i.e. cablerouter) forwards to
a dhcp server defined on the cmts.
the dhcp server replies with an offer, cablemodem hopefully gets it, then it
asks for a configuration file from the tftp server (defined in the arp
response). The config file has a field about the latest firmware revision.

cable operators are supposed to: assign private ip's to the modem, configure
trusted ip's for telnet access (not all docsis modems have telnet daemon),
disable the serial interface.

how does the modem authenticate the headend system - the way a cable network
works, the only place you could have a headend system is in the headend,
which is hopefully physically secured.

if you can get on the console, you could reset your modem, ask for the tftp
file, and do some diagnostics.

Dorin

-----Original Message-----
From: Signal 11 [mailto:signal11 () MEDIAONE NET]
Sent: Saturday, November 27, 1999 2:10 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: 3Com cable modems / Mediaone

I'm not certain this is the appropriate forum to discuss this,
however I've been unable to locate any documentation about this
on 3Com's website nor has technical support been helpful in
enlightening me (I have called their 800 number).

The 3Com external cablemodem (CMX) allows the upstream provider
to download firmware updates into your cablemodem.  This can
(and I suspect usually is) done without the user's knowledge,
and it took some digging to uncover this "feature".  The cable-
modem can also be reprogrammed via a serial port in back,
although my attempts to access it have proven futile.
I am also very curious to find out how to telnet into this thing,
as there are references to it being "password protected"
to prevent intruders.  Somehow I rather doubt mine was
given a password (and thus open to the whole world).

I'm very much concerned about using a device, which has
little/no technical specifications, with my system.
Can firmware be uploaded by anyone?  How does the modem
authenticate the head-end system?  Does anyone have any
information on how to reprogram this modem?


--
Signal 11, BOFH to the UF list and malign.net
Where's the DIR command?