From: Justin Ellison [justin@techadvise.com] Sent: Tuesday, March 12, 2002 11:07 AM To: Rense Buijen Cc: vuln-dev@securityfocus.com Subject: RE: DOCSIS vulnerability I think you misunderstood his post. These vendors have allowed him to spoof the tftp server. He's not hacking the ISP's tftp server, he's creating his own files, placing them on his PC, and spoofing the ip of the ISP's tftp server. This is a vendor problem, because they should only allow the tftp request to complete on the RF interface, not the ethernet... Justin On Tue, 2002-03-12 at 04:49, Rense Buijen wrote: > Maybe your posts were rejected because this is very old news. > This is known for ages, I have such a cable modem and indeed you can get > the config file by TFTP; decode, alter, encode and upload it, but the > ISP's are not stupid and most of the time this is NOT how they cap your > cable modem, they throw traffic into a packeteer or use other methods to > squeeze your bandwidth. > > All the info can be gathered by a tool like this: > http://www.weird-solutions.com/_bin/bootpq.exe > > And a simple google search shows up hundreds of articles explaining how > you can "hack" DOCSIS cable modems, unfortunately (unless you have a > completely clueless provider) all these tricks wont work. > > E.g: http://lists.wi2600.org/pipermail/2600/2001-October/008668.html > > Which dates from October 2001. > > (I tried it but my isp squeezes on the other end of the pipe, some > things that you can alter though is bypass restrictions of how many > computers could be connected right into the modem) > > With kind regards, > > Rense > > -----Original Message----- > From: Matthew S. Hallacy [mailto:poptix@techmonkeys.org] > Sent: dinsdag 12 maart 2002 4:55 > To: vuln-dev@securityfocus.com > Subject: DOCSIS vulnerability > > Hi, > > Apparently this isn't bugtraq worthy (my posts weren't rejected, they > were simply > deleted), so I'll send it here. > > --- > > Pre-ramble: > > I've been debating this for a while, but now I'm sufficiently > agitated by dishonest cable ISP's to post it. > > Background: > > DOCSIS was created to be a standard for data over cable systems > so > that a cable modem that worked on one system would work just as well on > the > next, this brings down hardware costs, as well as training costs. > Basicly > you plug the cable modem in, it acquires a data path to the ISP's > hardware, > and sends a BOOTP request. The BOOTP reply that it recieves contains a > few > items, a syslog server, a tftp server, a time server, and a config file > to > download from the TFTP server. Until now everyone has claimed that it's > impossible to disrupt this, 6 months ago I found a way to. > > Ramifications: > > Everything from 'uncapping' your cable modem to being able to destroy > the cable network you're connected to, this is how cable companies > rate limit their customers, it's how they keep their customers > DHCP servers from replying to DHCP requests from other customers, > it's also how they block everything from netbios to web servers. > this is also the method used to restrict customers to a certain > number of IP addresses. > > Details: > > It's a simple attack, while the modem is booting it looks for the > address > of the TFTP server, simply assaign that address to your system and ping > the cable modem on its management address (usually 192.168.100.1). It > will > then connect to your machine to download the TFTP configuration file. > > This is known to work on the following models: > Motorola (all models) > 3Com Sharkfin > Toshiba PCX 1100 > > This is known to NOT work on these models: > RCA DCM235 > 3Com CMX > > > > Copyright: > If you're redistributing this, keep it intact. > (c) 2002 Matthew S. Hallacy -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA8hO+VBOGVGcv6DNwRAnATAJ41CA57cwrv71e3qhTzVFv2Pz6j0QCgonV7 TPZfyZ+m7eZX3oHeZ3YhT9E= =fFbZ -----END PGP SIGNATURE-----