Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: RCA cable modem Deny of Service
From: Mario Lorenz <ml () vdazone org>
Date: Wed, 27 Mar 2002 21:38:16 +0100

Problem:
-------

[...]
        If you   connect to the second device  (10.x.x.x) on port 80,  RCA cable
modem reset the user connection with inet. I proved it with my own wan ip 10.1.1
.x and with other  cablemodem users  IP's in the same wan.   All of  them  reset
 when I remotly  connect to port 80 of the cablemodems.

This is probably more a software bug or an annoyance than a DOS vulnerability.
You should not be allowed connect to the 10.x.x.x IPs anyway. Your Provider
can fix this with a simple filter rule either provisioned into each cable
modem or on the CMTS. It has always been good practice to separate Customer
networks and Management networks (to which the 10.x.x.x Modem IP's belong).
That is not cable modem specific. Write an advisory about your Cable Provider
lacking proper security measures, not about the cable modem :)

2-  Leak of Information:
     I can connect to the wan IP 10.x.x.x of any cablemodem user in my node,
and take a look at the users cablemodem status information such as:
[...]

a) see above, about filters to management networks
b) the information is hardly critical. It basically tells that you have a
   perfect connection.

     I can search in MIB table looking for my node server. I know that  the
node IP start with 10.x.x.x and I started to search in the MIB  Ops, a found
it!

69.1.4.2.0 = IpAddress: 10.20.250.1
69.1.4.3.0 = IpAddress: 10.20.250.1
69.1.4.4.0 = IpAddress: 10.20.250.1
69.1.4.5.0 = "docsis_light_avalos"

        And then I recognize the word "avalos" becouse is the name of the street
where the node fisicaly is.

Your Cable Provider did a) not separate the management network and b)
left the SNMP community strings at its defaults. There is nothing the Cable
Modem can do about. 

To summarize: Your "advisory" shoots the poor messenger, ie. your cable modem,
when your Cable Provider should be, uhm, well, I guess dropping him a note
should be sufficient :)

Mario
-- 
Mario Lorenz                            Internet:    <ml () vdazone org>
                                        Ham Radio:   DL5MLO () OK0PKL #BOH CZE EU
 "I hear that if you play the NT 4.0 CD backwards, you get a Satanic message!"
 "That's nothing. If you play it forward, it installs NT 4.0!"


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault