Lag Security Advisory - Com21 cable modem configuration file feeding vulnerability. All Com21 DOXport 1110 cable modems with software version 2.1.1.106 are vulnerable to being fed a configuration file that will allow a user to have access to features that are not paid for by spoofing an ISP-side TFTP server to feed the data.
93b75a2bb541c3f857c15239803ce791The advisory is also available in Word and HTML format at:
http://lag.securinet.qc.ca/papers.html
--
Lag Security Advisory
Com21 cable modem configuration file feeding vulnerability
Release date: November 1, 2002.
Vulnerability discovery date: Over six (6) months ago.
.systems affected.
All Com21 DOXport 1110 cable modems with software version 2.1.1.106.
Version 2.1.1.108.003 appears not to be vulnerable.
Please note that this vulnerability might affect other vendors cable
modems. In fact, all cable modems trying to contact a TFTP server on the
cable-side of the user are vulnerable.
.overview.
It is possible for an end-user to feed the cable modem with its own
configuration file, and thus, specifying the number of CPE,
download/upload speeds, and a few other options.
.impact.
Well, obviously, the user could have access to features that he does not
pay for.
.solution.
Upgrading the software to version 2.1.1.108.003 or any other software
version that is not vulnerable.
.complete description.
With a given program, an end-user is able to create cable modem
configuration files following the DOCSIS standard. With a vulnerable
Com21 cable modem, the user can create a TFTP, DCHP and BOOTP server to
successfully feed the cable modem with its own configuration file. I
used a program called docsis (http://docsis.sourceforge.net/) to first
create the configuration file.
Then, I used tcpdump (http://www.tcpdump.org/) to capture packets from
the wire to discover what boot options were required for my cable modem.
I also used an SNMP client to discover the internal IP of my cable modem
from the main router. Knowing this, I was also able to view the cable
modem web page as well as change SNMP options.
With all this load of information, I created a DHCP server (I also added
an IP alias to my Ethernet card so that it could give the internal IP to
the cable modem), a BOOTP server and finally a TFTP server. After a
couple of hard reboots of my cable modem, I could see in my TFTP server
logs that the device download its configuration file from my server. I
then tried to access the Internet and it worked as normally.
.conclusion.
Many Internet providers offering cable modem access to the Internet
appears not to be aware of those vulnerabilities. I supplied a detailed
description of how to exploit the problem for the users to help their
network administrators to fix the problem. And as always, if you make
crazy things out of this, I am in no way responsible for all your problems.
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!