Remote attackers can anonymously reconfigure any Hybrid Network's cable modem running HSMP.
fba4ceed238aa38474d25bcca294b76bebb7bd9fcfa00c44645e0dc301832253
KSR[T] Security Advisories http://www.ksrt.org
Contact Account: ksrt@ksrt.org
Advisory Subscription: Send an empty message to:
ksrt-advisories-subscribe@ksrt.org
----
KSR[T] Advisory #012
Date: Oct. 6 1999
ID #: hybr-hsmp-012
Affected Program: Hybrid Network's Cable Modems
Author: David Goldsmith <dhg@ksrt.org>
Summary: Remote attackers can anonymously reconfigure any
Hybrid Network's cable modem that is running HSMP.
This can be used to steal information and
login/password pairs from cable modem users.
Problem Description: Hybrid Network's cable modems can be configured via
a UDP based protocol called HSMP. This protocol
does not require any authentication to perform
configuration requests. Since UDP is easily spoofed,
configuration changes can made anonymously.
Compromise: There are a plethora of denial of services attacks
involving bad configuration settings (ethernet
interfaces set to non-routable IP addresses, et al).
HSMP can also be used to configure the DNS servers
used by cable modem users, allowing attackers to
redirect cable modem subscribers to a trojan site.
More complex and theoretical attacks could involve
the running of actual code through the debugging
interface. This might allow remote attackers to
deploy ethernet sniffers on the cable modem.
Notes: KSR[T] found this vulnerability in parallel with
Paul S. Cosis <sili@l0pht.com> and the l0pht. We
would like to thank them for their input to this
advisory.
Patch/Fix: Cable providers should block out HSMP traffic
(7777/udp) on their firewalls.
Links: KSR[T] had initially written a demonstration
HSMP client which is located at:
http://www.ksrt.org/ksrt-hsmp.tar.gz
There is also another HSMP client located at:
http://www.larsshack.org/sw/ccm/
l0pht modified the above client and added
the ability to spoof the source address, allowing
for the anonymous reconfiguration of Hybrid cable
modems). Their client is located at:
http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz