Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
30th Nov 1999 [SBWID-2045]
COMMAND
	    CMX
SYSTEMS AFFECTED
	    3COM CMX
PROBLEM
	    Text below is no bug, but some kind of the security issue.  Enjoy.
	    Signal 11 posted  following.  The  3Com external cablemodem  (CMX)
	    allows the  upstream provider  to download  firmware updates  into
	    your  cablemodem.   This  can  (and  usually  is) done without the
	    user's  knowledge,  and  it  took  some  digging  to  uncover this
	    "feature".   The  cable-modem  can  also  be  reprogrammed  via  a
	    serial port in back.
	    The ability  to download  firmware updates  remotely into  a cable
	    modem is  a docsis  requirement (www.cablelabs.com).   The process
	    is supposed to be  quite automatic and seamless  to the user.   It
	    usually takes place  by the cable  operator forcing the  modems to
	    re-register.  When a docsis  modem tries to register, it  sends an
	    arp request which  the cmts (cable  modem termination system  i.e.
	    cablerouter) forwards to a DHCP  server defined on the cmts.   The
	    DHCP server replies with  an offer, cablemodem hopefully  gets it,
	    then  it  asks  for  a  configuration  file  from  the tftp server
	    (defined in the arp response).  The config file has a field  about
	    the latest firmware  revision.  So,  if you can  fake out a  modem
	    with  a  rougue  DHCP  server  and  provide your own configuration
	    files, then you  might possible be  able to upload  rougue code to
	    the modem.
	    Cable operators are supposed to: assign private ip's to the modem,
	    configure trusted ip's  for telnet access  (not all docsis  modems
	    have telnet daemon), disable the serial interface.
	    The modem authenticates the headend through the negotiation  phase
	    of the boot process of the modem.  The modem scans the  downstream
	    frequency channel  (usually >450mhz)  until it  finds a  6mhz wide
	    QAM (256 or 64) signature.   Encoded within the QAM modulation  is
	    the information for the upstream channels (channel ID, freq,  freq
	    width, etc).   The modem  then ranges  with the  CMTS to configure
	    the power  level.   Once the  modem is  ranges, it  goes through a
	    DHCP/TFTP sequence.   The modem  then downloads  its configuration
	    options from a file stored on a TFTP server.
SOLUTION
	    The 3com  CMX has  a read  only serial  console.   Modems like the
	    ubr900  series  (904  and  924)  contain  read/write consoles (but
	    passwords may be set).   If you purchase the  modem from a  vendor
	    (not your ISP), then there are  not any passwords.  If you  get it
	    from your ISP (and they are  worth their salt), it will come  with
	    a password on it.
	    3COM has plenty of info about their cable modems on their site:
	
	        http://www.3com.com/products/cablemodem/
	
	    In fact, they even have the manuals
	
	        http://consumer.3com.com/cable/manual/index.html
	
	    This so called "firmware" is uploaded to your cable modem by  your
	    Cable provider with the intent to provide you the latest  features
	    or bug patches.   This procedure is  usually done via  SNMP.   So,
	    one must be careful.
Internet highlights

Casino Not On Gamstop