Lag Security Advisory - Com21 cable modem configuration file feeding vulnerability

[David Laganière <spanska () securinet qc ca>]

I have no idea if this went out somehow, but here it is. I completely 
apologize if this has been posted in the past. This is the second time
I post this one on Bugtraq. It didn't get through for an unknown reason 
and there aren't any records about it on the SecurityFocus website
so I guess it was never posted.

The advisory is also available in Word and HTML format at:
http://lag.securinet.qc.ca/papers.html

David

--

Lag Security Advisory
Com21 cable modem configuration file feeding vulnerability

Release date: November 1, 2002.
Vulnerability discovery date: Over six (6) months ago.

.systems affected.
All Com21 DOXport 1110 cable modems with software version 2.1.1.106.
Version 2.1.1.108.003 appears not to be vulnerable.

Please note that this vulnerability might affect other vendors’ cable 
modems. In fact, all cable modems trying to contact a TFTP server on the 
cable-side of the user are vulnerable.

.overview.
It is possible for an end-user to feed the cable modem with its own 
configuration file, and thus, specifying the number of CPE, 
download/upload speeds, and a few other options.

.impact.
Well, obviously, the user could have access to features that he does not 
pay for.

.solution.
Upgrading the software to version 2.1.1.108.003 or any other software 
version that is not vulnerable.

.complete description.
With a given program, an end-user is able to create cable modem 
configuration files following the DOCSIS standard. With a vulnerable 
Com21 cable modem, the user can create a TFTP, DCHP and BOOTP server to 
successfully feed the cable modem with its own configuration file. I 
used a program called docsis (http://docsis.sourceforge.net/) to first 
create the configuration file.

Then, I used tcpdump (http://www.tcpdump.org/) to capture packets from 
the wire to discover what boot options were required for my cable modem. 
I also used an SNMP client to discover the internal IP of my cable modem 
from the main router. Knowing this, I was also able to view the cable 
modem web page as well as change SNMP options.

With all this load of information, I created a DHCP server (I also added 
an IP alias to my Ethernet card so that it could give the internal IP to 
the cable modem), a BOOTP server and finally a TFTP server. After a 
couple of hard reboots of my cable modem, I could see in my TFTP server 
logs that the device download its configuration file from my server. I 
then tried to access the Internet and it worked as normally.

.conclusion.
Many Internet providers offering cable modem access to the Internet 
appears not to be aware of those vulnerabilities. I supplied a detailed 
description of how to exploit the problem for the users to help their 
network administrators to fix the problem. And as always, if you make 
crazy things out of this, I am in no way responsible for all your problems.