Bugtraq mailing list archives
KSR[T] Advisories #012: Hybrid Network's Cable Modems
From: ksrt () KSRT ORG (KSR[T] Contact Account)
Date: Wed, 6 Oct 1999 09:24:03 -0400
KSR[T] Security Advisories http://www.ksrt.org Contact Account: ksrt () ksrt org Advisory Subscription: Send an empty message to: ksrt-advisories-subscribe () ksrt org ---- KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program: Hybrid Network's Cable Modems Author: David Goldsmith <dhg () ksrt org> Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis <sili () l0pht com> and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (7777/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz
Current thread:
- KSR[T] Advisories #012: Hybrid Network's Cable Modems KSR[T] Contact Account (Oct 06)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Lars Kellogg-Stedman (Oct 07)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek J. Balling (Oct 08)
- Administrivia Elias Levy (Oct 11)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Jon Paul, Nollmann (Oct 12)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Derek Balling (Oct 12)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Joe Shaw (Oct 13)
- Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems Lars Kellogg-Stedman (Oct 07)