|
Brought to you by:
Suppliers of:
|
|
|
| |
| It is possible for an end-user to feed the Com21's cable modem with its own configuration file, and thus, specifying the number of CPE, download/upload speeds, and a few other options. |
| |
Credit:
The information has been provided by David Lagani?re.
|
| |
Vulnerable systems:
* Com21 DOXport 1110 cable modems with software version 2.1.1.106
Immune systems:
* Com21 DOXport 1110 cable modems with software version 2.1.1.108.003
With a given program, an end-user is able to create cable modem configuration files following the DOCSIS standard. With a vulnerable Com21 cable modem, the user can create a TFTP, DCHP and BOOTP server to successfully feed the cable modem with its own configuration file. David used a program called docsis to first create the configuration file.
Then, David used tcpdump to capture packets from the wire to discover what boot options were required for his cable modem. David also used an SNMP client to discover the internal IP of his cable modem from the main router. Knowing this, David was also able to view the cable modem web page as well as change SNMP options.
With all this load of information, David created a DHCP server (David also added an IP alias to his Ethernet card so that it could give the internal IP to the cable modem), a BOOTP server and finally a TFTP server. After a couple of hard reboots of his cable modem, David could see in his TFTP server logs that the device downloaded its configuration file from his server. David then tried to access the Internet and it worked as normally.
Solution:
Upgrading the software to version 2.1.1.108.003 or any other software version that is not vulnerable.
|
|
|
|
|
