Received: from swilnts850.wil.fusa.com ([168.118.4.215]) by swilnts807.wil.fusa.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2654.52)
	id 1NFR6CMT; Wed, 6 Feb 2002 12:22:06 -0500
Received: from smtpproxy1.ext.fusa.com (unverified) by swilnts850.wil.fusa.com
 (Content Technologies SMTPRS 4.2.5) with ESMTP id <T58e7cd7bd5a87604d74ec@swilnts850.wil.fusa.com> for <GlennEverhart@firstusa.com>;
 Wed, 6 Feb 2002 12:22:05 -0500
Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26])
	by smtpproxy1.ext.fusa.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id g16HKfZ16433
	for <GlennEverhart@firstusa.com>; Wed, 6 Feb 2002 12:20:41 -0500 (EST)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 9F4DB8F33C; Wed,  6 Feb 2002 10:02:56 -0700 (MST)
Mailing-List: contact vuln-dev-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev@securityfocus.com>
List-Help: <mailto:vuln-dev-help@securityfocus.com>
List-Unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
Delivered-To: mailing list vuln-dev@securityfocus.com
Delivered-To: moderator for vuln-dev@securityfocus.com
Received: (qmail 9489 invoked from network); 6 Feb 2002 07:19:54 -0000
Message-ID: <45950.24.247.24.39.1012980022.squirrel@webmail.gotclue.org>
Date: Wed, 6 Feb 2002 02:20:22 -0500 (EST)
Subject: Re: chaging your @home IP address... could you take a bunch of
From: "Michael R. Rudel" <mrr@gotclue.org>
To: <vuln-dev@securityfocus.com>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
X-Mailer: SquirrelMail (version 1.2.4)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso_8859_1
Content-Transfer-Encoding: 8bit

This was accidently sent to Bugtraq. :)


Russell Handorf said:

> As for current hacks for cable modems, there are a few that I have
> discovered specifically with comcast.net
>
> However this cannot be disclosed at this time. I will post it at a
> later date.
>
> Russ
>

Well, just to describe to some people who may not know, let me try and
describe the boot-up process of a cable modem, to the best of my
knowledge. I could be wrong here, if I am, feel free to correct me.

As the cable modem boots up, it links up via the coax link, blah blah. It
then DHCPs itself a private, non-routeable 10.x.x.x address from a DHCP
server. At this point it TFTPs a configuration file from a TFTP server
(also with a 10.x.x.x address) inside the network. The TFTP server hands
this file out based on MAC address (of the modem), and this file is what
contains the upload/download caps.

This 10.x.x.x private address is also what is used to set the SNMP
paraments on the modem, such as caps, passwords, etc. I've been playing
around with Charter's network, and found some interesting things that you
can do with the 10.x.x.x addresses. For example, anything I send out is
routed through one of these private addresses. I can ping, telnet, etc,
to that 10.x.x.x address, as well as others.. this means that the modem
(specifically my Motorola Surfboard) is routing those addresses via the
ethernet port. The SNMP feature of the modems is also pretty cool - the
cable company can do things like power cycle your modem, etc, all with
SNMP. If you could somehow sniff some of these SNMP packets and figure out
the private community name, again, you'd probably be home free...

Now, follow me here. I have several servers in my house for development
purposes. Among them, FreeBSD, Linux and NetWare machines. Currently, I
have a NetWare 6 machine doing NAT for my home network. What I am about
to say is NOT specific to NetWare, as I've done it with the other OSes:

NOTHING is stopping me from grabbing as many IP addresses as I want. I
can just assign them as secondaries/aliases/whatevers to the NIC that is
connected to the modem. They do nothing to stop this. In fact, they seem
to encourage it: their DHCP server will ping addresses to make sure they
are inactive before handing them out. This means if you claim an unleased
address, its yours for good.

Now.. here's an interesting question. What's to keep me from taking the
IP address of .. say, the default gateway? Or the DHCP server (EITHER the
10.x.x.x one or the public one that assigns IPs to workstations?)? Or the
DNS server? Or even that 10.x.x.x TFTP server? This seems like a pretty
big vulnerability.. one that could cause a DOS on a large scale. Or even
on a smaller scale, whats to keep me from taking my neighbor's MAC
address? Nothing is...

If the cable company is smart, they'll have static ARP entries for all
the important things like DNS servers, gateways, etc etc. But.. Charter,
at least, doesn't. Or didn't as of a few months ago when I tested this
theory. I've kept my mouth shut about this but since others have brought
up the thread, I thought I'd put my .02 cents in.

Another interesting tidbit: if you have a Motorola Surfboard, go to
http://192.168.100.1 in your browser. ;)

- mrr


Michael R. Rudel * mrr@gotclue.org * 734.417.4859 * www.gotclue.org
Technician, Pinckney Community Schools * mrr@pcs.k12.mi.us
Principal Engineer, Michael R. Rudel Consulting *
mrr@mrrconsulting.net


Michael R. Rudel * mrr@gotclue.org * 734.417.4859 * www.gotclue.org
Technician, Pinckney Community Schools * mrr@pcs.k12.mi.us
Principal Engineer, Michael R. Rudel Consulting *
mrr@mrrconsulting.net