Vulnerability Development mailing list archives
Re: RCA cable modem Deny of Service
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Mon, 1 Apr 2002 12:05:06 -0500
On Tue, Mar 26, 2002 at 11:48:16PM -0500, Rob Koliha wrote:
You can do that with any docsis modem.. All of them use the snmp community 'public' for read/write access..
No... This is not correct. On either point.
I'm aware of a number of DOCSIS modems which do not seem to support
SNMP at all. They seem to have some web server management interface
however. I think someone mentioned to me the Motorola Surfboard in that
context but, having no personal first hand experience with the Surfboard,
I can not personally confirm that. I was informed of the existance
of these ono-SNMP enabled modems when I made similar claims in front
of people who have them and have tried to poke at them for SNMP and
failed. I only have their word to go on there.
Most of the ones that do support SNMP have the "write" community
changed to some other string when the modem downloads it's configuration
from the head-end via bootp. Of course, it's pretty trivial to look in
the SNMP dump from the modem for the IP address of the tftp server and
the name of the configuration file and then, from there, download the
file and decompile it to determine the write access community name.
This much I CAN confirm from personal experience with the Toshiba
PCX 1100U on an AT&T Broadband network.
There really isn't any physically identifiying information in a snmp walk of a modem (or by using docsdiag.jar to do it)... Signal levels, interface statistics, etc.. You can tell if they're using usb or ether and you can probably pull the client ip's (CPE's) from the walk..
You can also dump mac addresses and ACLs. If you know someone's
real IP address you can identify a modem as belonging to them by the
existance of their public IP address in the tables on the modem. This
I have done.
The docsis_light_avalos is odd, but I think that it may be the config file the modem is using or another configuration variable (possibly specific to the rca?).. It would be pretty crazy if your mso was snmp writing physically identifying information in every modem! At any rate that's a problem with your isp, not rca.
Any snmp values that are written are reset when you unplug the modem for an extended period (15min+) or reset it using a software tool(motorola) or the physical reset button(toshiba)..
The 10.x.x.x side of the modem is kind of wide open, but it's also fairly safe because unless you get someone to tell you their modem ip (or you get it directly from their modem (physically) you don't have any way to find it out other than guessing (which btw only works if your both on the same modem network)..
Which can be rather large. I can dump the MIB from my son's
cable modem from my site and we are on different subnets (in different
cities, several miles apart). IOW... If you are on AT&T Broadband, you
can pretty much dump the MIB from the cable modem of anyone else on AT&T
broadband. That's a pretty big playpen. As the big boys eat the
little boys, that playpen gets bigger.
As far as guessing goes, there's a pattern to that madness as well
at least as far as AT&T goes (and probably others as well). The modem
is going to be on the 10.* network so the high octet of the address will
be 10. The netmask will be identical to the netmask of public address
on your computer interface. The remainder of the network address will
be the same between the two devices.
Example:
Address from dhcp Network Cablemodem subnet
24.98.10.21/22 24.98.8.0/22 10.98.8.0 / 22
The host address field is fed out by dhcp and will be "random"
within the subnet and not correlate between the host address of the
interface and the host address of the cable modem.
Now, you can sniff your interface for ARPs and get a quick
idea of your cable modems 10-net address (you will see the head end
system broadcasting arp requests and you modem responding) or you can
scan the 10-net subnet you know your cable modem is on and look for
who is there and who has your cable modems MAC address or your interface
IP address. Probing for someone elses cable modem is only slightly
more complicated.
It would be fairly simple to develop a tool to find active 10.x.x.x ranges and then snmp poll every ip in those ranges and compile a list of internet ip's behind modems.. That might not tell you much as far as physical location but you could use the information to determine what a persons modem ip was if you had their real ip and they were on your modem network..
You can do it with a script. It's trivial.
Another thing with the snmp side is the recent protos snmp test suite.. _A LOT_ of the modems lockup when you use this tool on the 192.x.x.x or the 10.x.x.x interface.. It probably wouldn't be hard to make a mass denial of service attack that would hit all/selected ranges of 10.x.x.x addresses with the snmp exploit.. This would effectively lock up any vulnerable modem and would require the user to powercycle to restore service..
The main thing to keep in mind is that the 10.x.x.x addy's aren't public and people outside of your modem network can't communicate with them.. If anyone turns the above concepts into an exploit I'd appreciate a copy ;)
Again, that can be a very VERY large playpen. It's not restricted
your colision zone or subnet.
Rob Koliha HSDT Charter Communications
Gabriel A. Maggiotti wrote:------------------------------------------------------------------------ ------------------------------------------------------------------------------ Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: March 26, 2002 E-mail: gmaggiot () ciudad com ar ------------------------------------------------------------------------------ General Info ------------ Problem Type : deny of service, misconfiguration and leak of information Vendor : www.rca.com Product : RCA cablemodems Model : DCM225 (perhaps others) Scope : Remote Risk : High Summary: ------- The RCA Digital Cable Modem serves as a two-way high-speed bridge between your personal computer and a cable Internet Service Provider (ISP). i It converts information that originates from the Internet or your computer into electronic messages that can be transported over the same wires your cable company uses to transport video signals. Problem: ------- 1- Deny of Service: The RCA cable modem has two devices, the one for local connection is 192 .168.100.1 . This device is used for information request about the status of the cable. The other device is 10.x.x.x and gives the same information. If you connect to the second device (10.x.x.x) on port 80, RCA cable modem reset the user connection with inet. I proved it with my own wan ip 10.1.1 .x and with other cablemodem users IP's in the same wan. All of them reset when I remotly connect to port 80 of the cablemodems. 2- Leak of Information: I can connect to the wan IP 10.x.x.x of any cablemodem user in my node,< br>and take a look at the users cablemodem status information such as: USB: Inactive Ethernet: 100 BaseT MAC Address: 00 10 95 0a 05 62 User: Active Signal Acquired at 573 MHz SNR: 36.0 dB Received Signal Strength: -4.0 dBmV Micro-Reflections: 20 dBc Connection: Acquired Frequency: 37 MHz Power Level: 44.0 dBmV Channel ID: 4 Number of user conected: 1 I can dump user cablemodem MIB's too. I can search in MIB table looking for my node server. I know that the node IP start with 10.x.x.x and I started to search in the MIB Ops, a found it! 69.1.4.2.0 = IpAddress: 10.20.250.1 69.1.4.3.0 = IpAddress: 10.20.250.1 69.1.4.4.0 = IpAddress: 10.20.250.1 69.1.4.5.0 = "docsis_light_avalos" And then I recognize the word "avalos" becouse is the name of the street w here the node fisicaly is. 3- Misconfiguration cause you can write my own MIB table. Take a look: <quote> [gabi@pluto gabi]$ snmpwalk 192.168.100.1 public system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS 2.5.0 system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 system.sysUpTime.0 = Timeticks: (141857) 0:23:38.57 system.sysContact.0 = unassigned sysContact system.sysName.0 = system.sysLocation.0 = system.sysServices.0 = 79 [gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysName.0 s lame system.sysName.0 = lame [gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysLocation.0 s lame_cyty system.sysName.0 = lame_city [gabi@pluto gabi]$ snmpwalk 192.168.100.1 public system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572, HW_Version 025 (03.1), SW_Versio n ST05.14.00, Bootloader_Ver 11.1, OS: PSOS 2.5.0 system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0 system.sysUpTime.0 = Timeticks: (161396) 0:26:53.96 system.sysContact.0 = unassigned sysContact system.sysName.0 = lame system.sysLocation.0 = lame_city system.sysServices.0 = 79 </quote> ------------------------------------------------------------------------------ research-list () qb0x net is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-list () qb0x ne t send a blank email to research-list-subscribe () qb0x net. More help available sending an email to research-list-help () qb0x net. Note: the list doesn't allow html, it will be stripped from messages. ------------------------------------------------------------------------------
-- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: RCA cable modem Deny of Service Michael H. Warfield (Apr 01)