[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] RoadRunner Ambit U10C019 CableModem Exploit

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] RoadRunner Ambit U10C019 CableModem Exploit
From: Harry Strongburg <harry.fd@xxxxxxxx>
Date: Tue, 10 Aug 2010 21:15:39 +0000

Hello. This is the introduction to a large-scale RoadRunner Cable-Router 
exploit on the Ambit U10C019 CableModem.

Basically, the default Cable Router that RoadRunner/TimeWarner gives to its 
customers by default:
 1) Allows for remote login with user: admin, password: cableroot.
 2) Allows remote access by default. (port 64623 for telnet, port 64680 for 
webui)

Devices affected:
Ambit U10C019 CableModem
Boot code revision : 2.1.6d
Hardware revision : 4.10
Software revision : 5.66.1026
Software build time : Feb 26 2009 12:53:26


Example for scanning the RoadRunner IP ranges:
nmap -PN -T5 --open -p64623 -n -P0 --max-retries 0 --host-timeout 5s -iL rr.lst 
>> nmap.log; cat nmap.log | grep -B 3 open > open.log

Torrent of files related to this disclosure at 
https://thepiratebay.org/torrent/5753559/
Contained in this archive contains:
 rr.lst - list of RoadRunner CIDR blocks.
 open-cleaned.txt - my initial scan of the ranges to see a rough estimate of 
number of affected devices.
 readme.txt - this file..
(You can also DDL it at http://harry.lu/files/torrents/rr-ambit-fd.tar.gz; I 
prfer you use the torrent option to save my bandwidth).


This hole appears to have been patched with a firmware update:

$ telnet device.ip 64623
Trying device.ip...
Connected to device.ip.
Escape character is '^]'.
Connection closed by foreign host.

$ curl -vvv 24.172.42.225:64680
* About to connect() to device.ip port 64680 (#0)
*   Trying device.ip... connected
* Connected to device.ip (device.ip) port 64680 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 
> OpenSSL/1.0.0a zlib/1.2.5
> Host: device.ip:64680
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host device.ip left intact
curl: (52) Empty reply from server
* Closing connection #0


I use the phrase "appears", as I am unsure. Michael O'Donnel at Road Runner, 
who is the Chief of Security (if I recall correctly), said he would work 
on it. Later, I did not receive much more contact after the *8 weeks of time* 
after I contacted them. Recent attempts to contact Michael via leaving 
a voicemail got no reply. (Maybe I shouldn't have been so polite in my 
disclosure to them, if they don't even bother to contact me when it's fixed?)



Keep safe.
--
Harry Strongburg <harry.fd at harry.lu>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Reliable reports on attacks on medical software and IT-systems available?
Next by Date: [Full-disclosure] iDefense Security Advisory 08.10.10: Microsoft Word RTF File Parsing Heap Buffer Overflow Vulnerability
Previous by thread: [Full-disclosure] ZDI-10-149: Adobe Flash Player LocalConnection Memory Corruption Remote Code Execution Vulnerability
Next by thread: [Full-disclosure] iDefense Security Advisory 08.10.10: Microsoft Word RTF File Parsing Heap Buffer Overflow Vulnerability
Index(es):
- Date
- Thread