I have no idea if this went out somehow, but here it is. I completely
apologize if this has been posted in the past. This is the second time
I post this one on Bugtraq. It didn't get through for an unknown reason
and there aren't any records about it on the SecurityFocus website
so I guess it was never posted.
The advisory is also available in Word and HTML format at:
http://lag.securinet.qc.ca/papers.html
David
--
Lag Security Advisory
Com21 cable modem configuration file feeding vulnerability
Release date: November 1, 2002.
Vulnerability discovery date: Over six (6) months ago.
.systems affected.
All Com21 DOXport 1110 cable modems with software version 2.1.1.106.
Version 2.1.1.108.003 appears not to be vulnerable.
Please note that this vulnerability might affect other vendors’ cable
modems. In fact, all cable modems trying to contact a TFTP server on the
cable-side of the user are vulnerable.
.overview.
It is possible for an end-user to feed the cable modem with its own
configuration file, and thus, specifying the number of CPE,
download/upload speeds, and a few other options.
.impact.
Well, obviously, the user could have access to features that he does not
pay for.
.solution.
Upgrading the software to version 2.1.1.108.003 or any other software
version that is not vulnerable.
.complete description.
With a given program, an end-user is able to create cable modem
configuration files following the DOCSIS standard. With a vulnerable
Com21 cable modem, the user can create a TFTP, DCHP and BOOTP server to
successfully feed the cable modem with its own configuration file. I
used a program called docsis (http://docsis.sourceforge.net/) to first
create the configuration file.
Then, I used tcpdump (http://www.tcpdump.org/) to capture packets from
the wire to discover what boot options were required for my cable modem.
I also used an SNMP client to discover the internal IP of my cable modem
from the main router. Knowing this, I was also able to view the cable
modem web page as well as change SNMP options.
With all this load of information, I created a DHCP server (I also added
an IP alias to my Ethernet card so that it could give the internal IP to
the cable modem), a BOOTP server and finally a TFTP server. After a
couple of hard reboots of my cable modem, I could see in my TFTP server
logs that the device download its configuration file from my server. I
then tried to access the Internet and it worked as normally.
.conclusion.
Many Internet providers offering cable modem access to the Internet
appears not to be aware of those vulnerabilities. I supplied a detailed
description of how to exploit the problem for the users to help their
network administrators to fix the problem. And as always, if you make
crazy things out of this, I am in no way responsible for all your problems.
