|
|
| |
| Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. |
| |
Credit:
This vulnerability has been discovered by: David Goldsmith of KSR[T].
|
| |
Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP can be spoofed trivially, configuration changes can be made anonymously.
Compromise:
There is a plethora of denial of services attacks involving bad configuration settings (Ethernet interfaces set to non-routable IP addresses, etc). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a Trojan site (this is called DNS spoofing).
More complex and theoretical attacks can involve the running of actual code through the debugging interface. This allows remote attackers to deploy Ethernet sniffers on the cable modem.
Solution:
Cable providers should block out HSMP traffic (7777/udp) on their firewalls.
Exploit programs:
KSR[T] had initially written a demonstration HSMP client which is located at:
http://www.ksrt.org/ksrt-hsmp.tar.gz
There is also another HSMP client located at:
http://www.larsshack.org/sw/ccm/
l0pht modified the above client and added the ability to spoof the source address (allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at:
http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz
|
|
|
