From: Matthew S. Hallacy [poptix@techmonkeys.org]
Sent: Monday, March 11, 2002 10:55 PM
To: vuln-dev@securityfocus.com
Subject: DOCSIS vulnerability

Hi,

Apparently this isn't bugtraq worthy (my posts weren't rejected, they were simply
deleted), so I'll send it here.

---

Pre-ramble:

	I've been debating this for a while, but now I'm sufficiently
agitated by dishonest cable ISP's to post it.

Background:

	DOCSIS was created to be a standard for data over cable systems so
that a cable modem that worked on one system would work just as well on the
next, this brings down hardware costs, as well as training costs. Basicly
you plug the cable modem in, it acquires a data path to the ISP's hardware,
and sends a BOOTP request. The BOOTP reply that it recieves contains a few
items, a syslog server, a tftp server, a time server, and a config file to
download from the TFTP server. Until now everyone has claimed that it's
impossible to disrupt this, 6 months ago I found a way to.

Ramifications:

Everything from 'uncapping' your cable modem to being able to destroy
the cable network you're connected to, this is how cable companies
rate limit their customers, it's how they keep their customers
DHCP servers from replying to DHCP requests from other customers,
it's also how they block everything from netbios to web servers.
this is also the method used to restrict customers to a certain
number of IP addresses.

Details:

It's a simple attack, while the modem is booting it looks for the address
of the TFTP server, simply assaign that address to your system and ping
the cable modem on its management address (usually 192.168.100.1). It will
then connect to your machine to download the TFTP configuration file.

This is known to work on the following models:
Motorola (all models)
3Com Sharkfin
Toshiba PCX 1100

This is known to NOT work on these models:
RCA DCM235
3Com CMX



Copyright:
If you're redistributing this, keep it intact.
(c) 2002 Matthew S. Hallacy