Bugtraq mailing list archives

KSR[T] Advisories #012: Hybrid Network's Cable Modems

From: ksrt () KSRT ORG (KSR[T] Contact Account)
Date: Wed, 6 Oct 1999 09:24:03 -0400


KSR[T] Security Advisories http://www.ksrt.org
Contact Account:           ksrt () ksrt org
Advisory Subscription:     Send an empty message to:
                           ksrt-advisories-subscribe () ksrt org
----

                                                  KSR[T] Advisory #012
                                                  Date:  Oct.  6  1999
                                                  ID #:  hybr-hsmp-012

Affected Program:    Hybrid Network's Cable Modems

Author:              David Goldsmith <dhg () ksrt org>

Summary:             Remote attackers can anonymously reconfigure any
                     Hybrid Network's cable modem that is running HSMP.
                     This can be used to steal information and
                     login/password pairs from cable modem users.

Problem Description: Hybrid Network's cable modems can be configured via
                     a UDP based protocol called HSMP.  This protocol
                     does not require any authentication to perform
                     configuration requests.  Since UDP is easily spoofed,
                     configuration changes can made anonymously.

Compromise:          There are a plethora of denial of services attacks
                     involving bad configuration settings (ethernet
                     interfaces set to non-routable IP addresses, et al).
                     HSMP can also be used to configure the DNS servers
                     used by cable modem users, allowing attackers to
                     redirect cable modem subscribers to a trojan site.

                     More complex and theoretical attacks could involve
                     the running of actual code through the debugging
                     interface.  This might allow remote attackers to
                     deploy ethernet sniffers on the cable modem.

Notes:               KSR[T] found this vulnerability in parallel with
                     Paul S. Cosis <sili () l0pht com> and the l0pht.  We
                     would like to thank them for their input to this
                     advisory.

Patch/Fix:           Cable providers should block out HSMP traffic
                     (7777/udp) on their firewalls.

Links:               KSR[T] had initially written a demonstration
                     HSMP client which is located at:

                     http://www.ksrt.org/ksrt-hsmp.tar.gz

                     There is also another HSMP client located at:

                     http://www.larsshack.org/sw/ccm/

                     l0pht modified the above client and added
                     the ability to spoof the source address, allowing
                     for the anonymous reconfiguration of Hybrid cable
                     modems). Their client is located at:

                     http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz

Current thread:

KSR[T] Advisories #012: Hybrid Network's Cable Modems KSR[T] Contact Account (Oct 06)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Lars Kellogg-Stedman (Oct 07)
  - Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek J. Balling (Oct 08)
  - Administrivia Elias Levy (Oct 11)
  - Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Jon Paul, Nollmann (Oct 12)
    - Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek Balling (Oct 12)
    - Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Joe Shaw (Oct 13)