KSR[T] Security Advisories http://www.ksrt.org
Contact Account:           ksrt@ksrt.org
Advisory Subscription:     Send an empty message to:
                           ksrt-advisories-subscribe@ksrt.org
----

                                                  KSR[T] Advisory #012
                                                  Date:  Oct.  6  1999
                                                  ID #:  hybr-hsmp-012

Affected Program:    Hybrid Network's Cable Modems

Author:              David Goldsmith <dhg@ksrt.org>

Summary:             Remote attackers can anonymously reconfigure any
                     Hybrid Network's cable modem that is running HSMP.
                     This can be used to steal information and
                     login/password pairs from cable modem users.

Problem Description: Hybrid Network's cable modems can be configured via
                     a UDP based protocol called HSMP.  This protocol
                     does not require any authentication to perform
                     configuration requests.  Since UDP is easily spoofed,
                     configuration changes can made anonymously.

Compromise:          There are a plethora of denial of services attacks
                     involving bad configuration settings (ethernet
                     interfaces set to non-routable IP addresses, et al).
                     HSMP can also be used to configure the DNS servers
                     used by cable modem users, allowing attackers to
                     redirect cable modem subscribers to a trojan site.

                     More complex and theoretical attacks could involve
                     the running of actual code through the debugging
                     interface.  This might allow remote attackers to
                     deploy ethernet sniffers on the cable modem.

Notes:               KSR[T] found this vulnerability in parallel with
                     Paul S. Cosis <sili@l0pht.com> and the l0pht.  We
                     would like to thank them for their input to this
                     advisory.

Patch/Fix:           Cable providers should block out HSMP traffic
                     (7777/udp) on their firewalls.

Links:               KSR[T] had initially written a demonstration
                     HSMP client which is located at:

                     http://www.ksrt.org/ksrt-hsmp.tar.gz

                     There is also another HSMP client located at:

                     http://www.larsshack.org/sw/ccm/

                     l0pht modified the above client and added
                     the ability to spoof the source address, allowing
                     for the anonymous reconfiguration of Hybrid cable
                     modems). Their client is located at:

                     http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz