Vulnerability Development mailing list archives
Re: DOCSIS vulnerability
From: Rob Koliha <rkoliha () charter net>
Date: Tue, 12 Mar 2002 18:59:36 -0500
This is quite an old issue.. There are half written documents on how to do it everywhere ;) In most of the howtos I've seen a step or two is missing.. It won't work on a lot of the modems out there, I know it will work with motorola but it doesn't work on most toshiba and com21's. Basically since the ethernet interface comes up before the rf interface, when you ping it your exploiting an arp table bug and fooling the modem into thinking that the tftp server lies on the wrong interface. This can be circumvented a few different ways.. Doing it with a packetshaper would be pretty expensive since you could possibly need thousands of flows (and you only get so many flows with each model) and packetshapers are not cheep. The best way to get around it is setting up the shared password stuff on the cmts (results in a little higher load, but prevents theft of service). A plaintext password or key is encoded into the .bin file that is downloaded and the cmts checks the key that the modem has before allowing it to go online. I know for a fact the docsis config decoder/encoder won't really decode the passphrase.. There may be other apps out there (or in the works) that will. More and more cable isp's will enable this as time goes on and hopefully the hardware manufacturers have fixes in place or in the works.. Firmware upgrades are done from the provider side, meaning it would be quite easy for affected modems to be fixed with a new release. It would be a little bit of a pain to prevent your modem from being patched. There are also QoS (quality of service) tables on each router (uBR) which your isp monitors.. If you push your modem higher than a speed level that your isp sells you stick out like a sore thumb. Once they find that you've hacked it you will either get one warning or they will disconnect you and refuse to serve you. If you have no other broadband alternatives it could really suck. It would also be bad if you enjoy vod and other 2 way cable services (as they could just as easily refuse data and tv both and cut/put a trap on your lines). Performing the hack could also probably land you in just as much hot water as the theft of tv services. Rob Koliha Charter Communications / Charter Pipeline Hickory, NC PS: in no way have my statements here represented Charter Communications, I am just a member of the list who happens to be happily employed for them ;) On 12 Mar 2002 10:07:02 -0600 Justin Ellison <justin () techadvise com> wrote:
I think you misunderstood his post. These vendors have allowed him to spoof the tftp server. He's not hacking the ISP's tftp server, he's creating his own files, placing them on his PC, and spoofing the ip of the ISP's tftp server. This is a vendor problem, because they should only allow the tftp request to complete on the RF interface, not the ethernet... Justin On Tue, 2002-03-12 at 04:49, Rense Buijen wrote:Maybe your posts were rejected because this is very old news. This is known for ages, I have such a cable modem and indeed you can get the config file by TFTP; decode, alter, encode and upload it, but the ISP's are not stupid and most of the time this is NOT how they cap your cable modem, they throw traffic into a packeteer or use other methods to squeeze your bandwidth. All the info can be gathered by a tool like this: http://www.weird-solutions.com/_bin/bootpq.exe And a simple google search shows up hundreds of articles explaining how you can "hack" DOCSIS cable modems, unfortunately (unless you have a completely clueless provider) all these tricks wont work. E.g: http://lists.wi2600.org/pipermail/2600/2001-October/008668.html Which dates from October 2001. (I tried it but my isp squeezes on the other end of the pipe, some things that you can alter though is bypass restrictions of how many computers could be connected right into the modem) With kind regards, Rense -----Original Message----- From: Matthew S. Hallacy [mailto:poptix () techmonkeys org] Sent: dinsdag 12 maart 2002 4:55 To: vuln-dev () securityfocus com Subject: DOCSIS vulnerability Hi, Apparently this isn't bugtraq worthy (my posts weren't rejected, they were simply deleted), so I'll send it here. --- Pre-ramble: I've been debating this for a while, but now I'm sufficiently agitated by dishonest cable ISP's to post it. Background: DOCSIS was created to be a standard for data over cable systems so that a cable modem that worked on one system would work just as well on the next, this brings down hardware costs, as well as training costs. Basicly you plug the cable modem in, it acquires a data path to the ISP's hardware, and sends a BOOTP request. The BOOTP reply that it recieves contains a few items, a syslog server, a tftp server, a time server, and a config file to download from the TFTP server. Until now everyone has claimed that it's impossible to disrupt this, 6 months ago I found a way to. Ramifications: Everything from 'uncapping' your cable modem to being able to destroy the cable network you're connected to, this is how cable companies rate limit their customers, it's how they keep their customers DHCP servers from replying to DHCP requests from other customers, it's also how they block everything from netbios to web servers. this is also the method used to restrict customers to a certain number of IP addresses. Details: It's a simple attack, while the modem is booting it looks for the address of the TFTP server, simply assaign that address to your system and ping the cable modem on its management address (usually 192.168.100.1). It will then connect to your machine to download the TFTP configuration file. This is known to work on the following models: Motorola (all models) 3Com Sharkfin Toshiba PCX 1100 This is known to NOT work on these models: RCA DCM235 3Com CMX Copyright: If you're redistributing this, keep it intact. (c) 2002 Matthew S. Hallacy-- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA8hO+VBOGVGcv6DNwRAnATAJ41CA57cwrv71e3qhTzVFv2Pz6j0QCgonV7 TPZfyZ+m7eZX3oHeZ3YhT9E= =fFbZ -----END PGP SIGNATURE-----
Current thread:
- DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Mark (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Dave Ahmad (Mar 12)
- Re: DOCSIS vulnerability Laurence Brockman (Mar 12)
- <Possible follow-ups>
- RE: DOCSIS vulnerability Rense Buijen (Mar 12)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Rob Koliha (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 13)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability dana shetterly (Mar 19)
- Re: DOCSIS vulnerability Siegfried Loeffler (Mar 20)
- Re: DOCSIS vulnerability Adam Wheeler (Mar 21)
- Wireless device vulnerability? Meritt James (Mar 22)
- Re: Wireless device vulnerability? J Edgar Hoover (Mar 22)
- Re: DOCSIS vulnerability Rob Koliha (Mar 22)
- Wireless device vulnerability? Meritt James (Mar 22)