Re: swbell DSL bug ?

[Jeffrey.Karpenko () RHIGROUP COM (Jeffrey Karpenko)]

Jamie:
        Very interesting approach.  I am new to the DSL arena and haven't
thought of using private addresses for customer use.  It should really
prevent all intrusion attempts from the outside.  However, it sounds like a
bear to manage and log.  Especially when the ISP tracks which user was using
what IP at any specific time.

        There are some possible security issues with the DSL service I
subscribe to.  My ISP provides the Cisco 677 DSL modem with its package.
The 677 can be connected to via the Console port and if a CTRL-C is executed
as soon as the "Hello!" prompt is visible, then the 677 is booted into RMON
mode where a "db" command of a memory location of 80030 with a range of 350
will show the encrypted passwords used in the configuration.  The encryption
is easily broken and ENABLE access is just a "rb" and login away.  While in
ENABLE mode I noticed there is a userid and password in the config.  Looking
at it I can guess that all other 677 routers provided by my ISP will have
the exact same userid and password.  Hmmm, interesting.

        In your opinion, is this a hole?

Jeffrey

-----Original Message-----
From: jamie.phillips () ns sympatico ca
[mailto:jamie.phillips () ns sympatico ca]
Sent: Monday, May 08, 2000 11:57 AM
To: Jeffrey Karpenko; VULN-DEV () SECURITYFOCUS COM
Subject: RE: swbell DSL bug ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jeff,

    Keeping in mind that IP address assignment is but one small
aspect of DHCP service I would agree with your point that upon
waiting for ARP cache to clear it is possible for another address to
be leased. However that is not always the case; for instance I know
that with NetID you can assign a scope to have statically assigned
DHCP IP addresses. Obviously there is much other info in the DHCP
packets besides address ie. DNS, default routers etc. as well as
management benefits to having this info dynamically assigned.
        Further, with my ISP, while each customer is assigned the same
address internally, these static addresses are not routable IP's(ie.
10.x.x.x).  The internal address assigned according to MAC address is
translated by an edge proxy into valid routable IP's.  This proxy/NAT
also provides address rotation so that every couple minutes or so my
external routable IP is different while my internal stays the same.
They log associations on the proxy and can adequately track what is
who(provided you have not hijacked another members MAC addy).  So,
anyways, I agree this is certainly not a bug.....just interesting to
think about!

Jamie

- -----Original Message-----
From: Jeffrey Karpenko [mailto:Jeffrey.Karpenko () rhigroup com]
Sent: May 8, 2000 12:24 PM
To: 'J . Phillips'; VULN-DEV () SECURITYFOCUS COM
Subject: RE: swbell DSL bug ?

Jamie:
        From what you are saying it seems your ISP is providing Static IP
Addresses to the customer.  I say that because you indicate that each
person
has an IP Address assigned to them and it is recorded that that
person now
owns that address.  If I am misunderstanding you then . . . well.
Anyway,
ISP's will be using DHCP.  My ISP, for instance, is using DHCP.  Now
while
my lease of the IP Address expires after 180,000 seconds (2.08 days),
I can
be fairly certain that I can obtain the same IP Address the next time
I
login because the ARP is still cached.  However, if I wait a long
while
before logging in again, I am fairly certain my IP will change.  I
haven't
actually attempted this yet mind you.  I would assume that if my
current ISP
has very few customers then regardless if the ARP Cache clears or
not, I
would probably obtain the same IP Address.  However, if the ISP DSL
customer
base were to grow, then so would the chances that my IP Address would
be
taken by some other user once my 180,000 seconds expired.
        In either case it is not a bug.

Jeffrey

Hash: SHA1

Absolutley,  my DSL provider's DHCP will only assign an IP to the MAC
address on the NIC they provided, and it is always the same internal
IP.  There are however ways to change the burned in address, with
which you could theoretically borrow someone else's IP on the same
subnet, provided they did not have an IP already leased.(or perhaps
even if they do??.)

Jamie

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBORbj49GSUCkLAscrEQK/GACg1Mr08qR3ZLFtydpj874iZwvLjwsAoLWk
sWrkMjOI80s8uBH2whO+UvjT
=SMCh
-----END PGP SIGNATURE-----