Re: DOCSIS vulnerability

["Laurence Brockman" <laurence () fluxinc com>]

The question is though, how do you find out the shared secret of your cable
modem's config file? Sure, you can get a config file onto the modem, but if
the shared secret doesn't match what the cable companies routers have, then
the router will not allow the cable modem to finish booting (With some kind
of permission error, can't remember off hand).

Other then social engineering, I'm not sure how this would be done.  I'd be
interested to know if there's a way around this.

Thanks,
Laurence

----- Original Message -----
From: "Matthew S. Hallacy" <poptix () techmonkeys org>
To: <vuln-dev () securityfocus com>
Sent: Monday, March 11, 2002 8:54 PM
Subject: DOCSIS vulnerability


> Hi,
>
> Apparently this isn't bugtraq worthy (my posts weren't rejected, they were
simply
> deleted), so I'll send it here.
>
> ---
>
> Pre-ramble:
>
> I've been debating this for a while, but now I'm sufficiently
> agitated by dishonest cable ISP's to post it.
>
> Background:
>
> DOCSIS was created to be a standard for data over cable systems so
> that a cable modem that worked on one system would work just as well on
the
> next, this brings down hardware costs, as well as training costs. Basicly
> you plug the cable modem in, it acquires a data path to the ISP's
hardware,
> and sends a BOOTP request. The BOOTP reply that it recieves contains a few
> items, a syslog server, a tftp server, a time server, and a config file to
> download from the TFTP server. Until now everyone has claimed that it's
> impossible to disrupt this, 6 months ago I found a way to.
>
> Ramifications:
>
> Everything from 'uncapping' your cable modem to being able to destroy
> the cable network you're connected to, this is how cable companies
> rate limit their customers, it's how they keep their customers
> DHCP servers from replying to DHCP requests from other customers,
> it's also how they block everything from netbios to web servers.
> this is also the method used to restrict customers to a certain
> number of IP addresses.
>
> Details:
>
> It's a simple attack, while the modem is booting it looks for the address
> of the TFTP server, simply assaign that address to your system and ping
> the cable modem on its management address (usually 192.168.100.1). It will
> then connect to your machine to download the TFTP configuration file.
>
> This is known to work on the following models:
> Motorola (all models)
> 3Com Sharkfin
> Toshiba PCX 1100
>
> This is known to NOT work on these models:
> RCA DCM235
> 3Com CMX
>
>
>
> Copyright:
> If you're redistributing this, keep it intact.
> (c) 2002 Matthew S. Hallacy