KSR[T] Security Advisories http://www.ksrt.org Contact Account: ksrt@ksrt.org Advisory Subscription: Send an empty message to: ksrt-advisories-subscribe@ksrt.org ---- KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program: Hybrid Network's Cable Modems Author: David Goldsmith Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (7777/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz